Edit tour

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Analysis ID:	1556597
MD5:	c0ff92d3f8d44d4b144d62a25203fb54
SHA1:	7c629df73009ae5e11173087b8b899efb0bcc1e7
SHA256:	1714590ed838170aed9ae4fcf702db472b860f5e4efaf25056aae4c219ce9921
Tags:	exescruser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QUOTATION_NOVQTRA071244#U00faPDF.scr.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe" MD5: C0FF92D3F8D44D4B144D62A25203FB54)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T17:40:00.113855+0100	2803305	3	Unknown Traffic	192.168.2.6	49986	188.114.96.3	80	TCP
2024-11-15T17:40:01.435710+0100	2803305	3	Unknown Traffic	192.168.2.6	49987	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.io
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.io

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49986 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49987 -> 188.114.96.3:443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.io
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/XrlEIxYp/download HTTP/1.1Host: filetransfer.io

Source: global traffic

DNS traffic detected: DNS query: filetransfer.io

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 15 Nov 2024 16:38:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: Nette Framework 3X-Frame-Options: SAMEORIGINSet-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnlySet-Cookie: PHPSESSID=kftjvm7h2btmb5me047ohunr98; expires=Fri, 29-Nov-2024 16:38:20 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheVary: X-Requested-WithVary: X-Requested-Withcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rykX2t%2BnWfW94t3WWViDsWqzDVZNa4kIxVH%2Bo117byWh6gx%2FZK30GnVVNJO5EkrK7F0c0Md4rD%2FYllWuZxqZtI4gUKji3InpdXhyqHRF75XjZq0iyF94LRAX2enskigggpg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e30abc778ce68fc-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1212&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=2231124&cwnd=237&unsent_bytes=0&cid=de410d980cb00005&ts=853&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 15 Nov 2024 16:40:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: Nette Framework 3X-Frame-Options: SAMEORIGINSet-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnlySet-Cookie: PHPSESSID=8g49j7fl0i4vb28uoap7nvncej; expires=Fri, 29-Nov-2024 16:40:01 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheVary: X-Requested-WithVary: X-Requested-Withcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h3jgFGNcdMZk7eIyuYE5di9BwXG6VIZIXZRbMAWePYYZqVnaUOPQ63TX71qOllVzuzxo9T2y%2FGJy4o1CkZq50Cu7ot%2FOMhUAygIZ8I3FquhviwrIttMxmxg7i5gIPBaZRjs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e30ae3cd8ad1440-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1249&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=2215761&cwnd=244&unsent_bytes=0&cid=65e613fcaa8741df&ts=769&x=0"

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6370000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6364000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63D9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B62BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io/data-package/XrlEIxYp/download
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://palo-alto.cz/
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B62BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63D9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B637A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6370000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63D9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B637A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/XrlEIxYp/download
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/dist/filetransfer-social-en.389488efe49681ac059b218c21161d72.png
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.filetransfer.io/

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49725 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Code function: 0_2_00007FFD343F9307

0_2_00007FFD343F9307

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000000.2166849280.00000197B42A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOzkay.exeH vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameOzkay.exeH vs QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Source: classification engine

Classification label: mal64.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Mutant created: NULL

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, Field.cs

.Net Code: ReadRepository System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD343F00BD pushad ; iretd	0_2_00007FFD343F00C1
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD343FBD78 push E95CC7E7h; ret	0_2_00007FFD343FBD99
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Code function: 0_2_00007FFD343F13AB push edx; ret	0_2_00007FFD343F13AC

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Memory allocated: 197B4600000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Memory allocated: 197CE2B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 500093			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Window / User API: threadDelayed 1397

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 1172	Thread sleep count: 1397 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 2120	Thread sleep count: 198 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6188	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6188	Thread sleep time: -500093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe TID: 6188	Thread sleep time: -100000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 500093	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior

Source: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024197877.00000197B4433000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Queries volume information: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	21%	ReversingLabs	Win64.Trojan.Generic
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filetransfer.io	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filetransfer.io/data-package/XrlEIxYp/download	false		high
http://filetransfer.io/data-package/XrlEIxYp/download	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63D9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B637A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://filetransfer.io/dist/filetransfer-social-en.389488efe49681ac059b218c21161d72.png	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://palo-alto.cz/	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://filetransfer.io	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6370000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6364000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63D9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6393000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B62BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.filetransfer.io/	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B6430000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, 00000000.00000002.4024829585.00000197B63BC000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	filetransfer.io	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556597
Start date and time:	2024-11-15 17:37:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_NOVQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_NOVQTRA071244#U00faPDF.scr.exe, PID 5352 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
	gusetup.exe	Get hash	malicious	Unknown	Browse	go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20
	BlgAsBdkiD.exe	Get hash	malicious	FormBook	Browse	www.vrxlzluy.shop/d8g5/
	Facebook_Advertiser_Position_Description.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
	https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/graylinelaketahoe.com&c=E,1,BWhR2At2OZAdw2Kzdn7d-U-fLZRdgzpdTFbcA87JOQxek-SzsLBqKBG-KMVpA5JovWFRbO4mN3q2zPe1YDaTOG57b4G9v05-IgsJXqrG4om_58_65Os9ldlZ&typo=1	Get hash	malicious	Unknown	Browse	graylinelaketahoe.com/
	View Pdf Doc_a42d45ecadd4b9604949c99fe71e46fe.htm	Get hash	malicious	Unknown	Browse	jssqm.nhgrt.top/WjBkrg/34JSSQm34?&&2yq=bC5zY2FybGF0ZWxsaUBhbG1hdml2YS5pdA%3D%3D
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.rtpwslot888gol.sbs/7arg/
	Yeni sipari#U015f _TR-59647-WJO-001.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/lmTya
	View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htm	Get hash	malicious	Unknown	Browse	zy8wq.nhgrt.top/DydymQ/31zY8wQ31?&&r4n=Z2FicmllbGUuY29uZ2Vkb0BnZi5jb20%3D

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
filetransfer.io	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	DfEohEn32q.exe	Get hash	malicious	LummaC	Browse	172.67.184.208
	http://portableapps.com	Get hash	malicious	Unknown	Browse	172.64.145.29
	https://socialmedia-insights.bloemlight.com/XZTB1bnY3MDBCd0JJTUhGR0lPRHBsZEtuUVJIdkcvK0lLTGlHV1NNdldOYVNpc0xSR0lyRlJoZjBTMEFqNjUwYVlBeitmYVU0NHl6bFdXRzJKVmhENytORlF0SEZ5NVJaWFk4UisvSFVLTnM4WkJpcUk5UVpnblcwVERwWmVZazlma09qenhpeXNUOVM3eE12TU03ZjlCTTQrcGJPRXdRZlRVdXptM2dlVm12SnY0VjNVNGVpUHJycVlGbEQydz09LS1LVEpKanlxVmw0Zkdqc2FtLS0rVEVicDZaZnl6L3YwV2V5MVdzVmpRPT0=?cid=2274448099	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	https://onlinedropboxfile.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://looklossjo.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://pto.bicepheady.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://url11.kmt4ispayroll.com/?id=eyJlbWFpbF9pZCI6ImRnVER4d2NEQVAyTURfeU1Ed0dUSlVtb194VC0xeUp6Wk-t3aldrdz0iLCJocmVmIjoiaHR0cHM6Ly90Lm1lL3N0YWN5X215YnJvY2FyZCIs-ImludGVybmFsIjoiYzNjNzA3MDhmYzM5ZmQ4YzBmIiwibGlua19pZCI6ODY4fQ-e06f9243688f8d3f6986ffbedf3a11c620bbea820e86e17c3fd3a4979cbc3e26AOMMRkVTE4y4i4MhR8PO5Li1enwscIrfMMFkF0FdObryKs8IHKZe9lNXxCYB	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	http://portableapps.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	grd.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	188.114.96.3
	BankInformation.vbe	Get hash	malicious	AgentTesla	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.710405118092613
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
File size:	187'392 bytes
MD5:	c0ff92d3f8d44d4b144d62a25203fb54
SHA1:	7c629df73009ae5e11173087b8b899efb0bcc1e7
SHA256:	1714590ed838170aed9ae4fcf702db472b860f5e4efaf25056aae4c219ce9921
SHA512:	ef7829d88818df1e768242d12d25dd49b2d9afb15bab3fbced8e8b30de1530aa74842a3e37729391f4f068944d2b98eef3cf561e686c78e535cc6559e54f4221
SSDEEP:	3072:JZpuHH5banPQKWBTVOc8pdOo6NPzKkwGLu0AsxLzBuO:JDunNsPeBsc8dOo6NPuk5ixsFzBu
TLSH:	BA04D403B99BA5B1C298273EC6FB04040775E582B697DFC9358EA3EA0F437B69D05607
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K.6g................................. ....@...... ....................... ............`...@......@............... .....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6736E44B [Fri Nov 15 06:03:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2d390	0x2d400	482b627ca5e61a859c4f39246def7a08	False	0.42360691470994477	data	5.723461106712719	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x5ac	0x600	debebf4a59509cff34da15ff2bd38e67	False	0.4192708333333333	data	4.042695116528086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x300a0	0x358	data			0.41705607476635514
RT_MANIFEST	0x303f8	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators			0.5642201834862385

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-15T17:40:00.113855+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49986	188.114.96.3	80	TCP
2024-11-15T17:40:01.435710+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49987	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 17:38:18.310935020 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:18.315960884 CET	80	49716	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:18.316037893 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:18.318867922 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:18.323738098 CET	80	49716	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.261573076 CET	80	49716	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.261593103 CET	80	49716	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.261647940 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.271101952 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.271132946 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.271228075 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.298352003 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.298371077 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.945009947 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.945111990 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.948618889 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:19.948628902 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.948873043 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:19.988811016 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.004975080 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.047333956 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.784929037 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.784982920 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785006046 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785029888 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785054922 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785080910 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785104036 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785125971 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.785130978 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785185099 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.785221100 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.785221100 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.789670944 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.789695024 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.789755106 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.789761066 CET	443	49725	188.114.96.3	192.168.2.6
Nov 15, 2024 17:38:20.789809942 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:38:20.812058926 CET	49725	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:39:59.169277906 CET	49986	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:39:59.174365997 CET	80	49986	188.114.96.3	192.168.2.6
Nov 15, 2024 17:39:59.174607992 CET	49986	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:39:59.175015926 CET	49986	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:39:59.179949045 CET	80	49986	188.114.96.3	192.168.2.6
Nov 15, 2024 17:39:59.270354986 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:39:59.275605917 CET	80	49716	188.114.96.3	192.168.2.6
Nov 15, 2024 17:39:59.275742054 CET	49716	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.072263956 CET	80	49986	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:00.072983027 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.073029995 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:00.073098898 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.073437929 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.073452950 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:00.113854885 CET	49986	80	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.675267935 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:00.714922905 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:00.714946985 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435714006 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435761929 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435787916 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435811996 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435837030 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435861111 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435884953 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435910940 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:01.435934067 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.435950994 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:01.436007977 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:01.436435938 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.436482906 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.436543941 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:01.436561108 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.437330961 CET	443	49987	188.114.96.3	192.168.2.6
Nov 15, 2024 17:40:01.437477112 CET	49987	443	192.168.2.6	188.114.96.3
Nov 15, 2024 17:40:01.437988997 CET	49987	443	192.168.2.6	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 17:38:18.272855043 CET	54852	53	192.168.2.6	1.1.1.1
Nov 15, 2024 17:38:18.282004118 CET	53	54852	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 15, 2024 17:38:18.272855043 CET	192.168.2.6	1.1.1.1	0xdd24	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 15, 2024 17:38:18.282004118 CET	1.1.1.1	192.168.2.6	0xdd24	No error (0)	filetransfer.io		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 15, 2024 17:38:18.282004118 CET	1.1.1.1	192.168.2.6	0xdd24	No error (0)	filetransfer.io		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	188.114.96.3	80	5352	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 17:38:18.318867922 CET	95	OUT	GET /data-package/XrlEIxYp/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Nov 15, 2024 17:38:19.261573076 CET	987	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 15 Nov 2024 16:38:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/XrlEIxYp/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1H8vTBcdTCS1feVteHThnmAnAShd5MN0Sq5sYbAOIUzI7HgU5ioyk8np3UKyArx76mOT5r%2FiGiZwoAxJM20VKD1b75BnUT6%2FVceYFhmb2CZncA8Bz6d0yUsai5QYhppfHhg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e30abc009ac6b04-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1220&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Nov 15, 2024 17:38:19.261593103 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49986	188.114.96.3	80	5352	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 17:39:59.175015926 CET	71	OUT	GET /data-package/XrlEIxYp/download HTTP/1.1 Host: filetransfer.io
Nov 15, 2024 17:40:00.072263956 CET	990	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 15 Nov 2024 16:40:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/XrlEIxYp/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NjRk4Z5QC0Uf4d071BnEgUw6cPOIjUjUv5uRKiedmX5uNx3pbMstRNHwNUhi5xTJ5JOLn7fS3SYwjkFPsTgrabhXXg9YXgEoW69BOvmLrQIr%2BWvzwk9GUxF3NO5owZD0uY0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e30ae362a946be3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1140&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=71&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49725	188.114.96.3	443	5352	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-15 16:38:20 UTC	95	OUT	GET /data-package/XrlEIxYp/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-11-15 16:38:20 UTC	1202	IN	HTTP/1.1 403 Forbidden Date: Fri, 15 Nov 2024 16:38:20 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=kftjvm7h2btmb5me047ohunr98; expires=Fri, 29-Nov-2024 16:38:20 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Vary: X-Requested-With cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rykX2t%2BnWfW94t3WWViDsWqzDVZNa4kIxVH%2Bo117byWh6gx%2FZK30GnVVNJO5EkrK7F0c0Md4rD%2FYllWuZxqZtI4gUKji3InpdXhyqHRF75XjZq0iyF94LRAX2enskigggpg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e30abc778ce68fc-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1212&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=2231124&cwnd=237&unsent_bytes=0&cid=de410d980cb00005&ts=853&x=0"
2024-11-15 16:38:20 UTC	167	IN	Data Raw: 33 34 36 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 37 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 38 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 Data Ascii: 346c<!DOCTYPE html>...[if lt IE 8 ]><html lang="cs" class="ie7 no-js"> <![endif]-->...[if lt IE 9 ]><html lang="cs" class="ie8 no-js"> <![endif]-->...[if lt
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 49 45 20 31 30 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 39 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 31 30 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 0a 09 20 20 64 61 74 61 2d 64 65 66 61 75 6c 74 2d 74 69 6d 65 7a 6f 6e 65 3d 22 45 74 63 2f 55 54 43 22 20 64 61 74 61 2d 6f 6c 64 2d 62 72 6f 77 73 65 72 2d 75 72 6c 3d 22 2f 75 6e 73 75 70 70 6f 72 74 65 64 2d 62 72 6f 77 73 65 72 3f 6f 6c 64 3d 31 22 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 2d 6c 61 79 6f 75 74 20 6e 6f 2d 6a 73 20 70 72 6f 64 22 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 09 3c Data Ascii: IE 10 ]><html lang="cs" class="ie9 no-js"> <![endif]-->...[if (gt IE 10)\|!(IE)]>...><html lang="cs" data-default-timezone="Etc/UTC" data-old-browser-url="/unsupported-browser?old=1" class="responsive-layout no-js prod">...<![endif]--><head><
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 39 36 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 31 32 38 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 36 30 78 31 36 30 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 31 36 30 2e 70 6e 67 Data Ascii: uch-icon-precomposed" sizes="96x96" href="/img/favicon/solid/96.png"><link rel="apple-touch-icon-precomposed" sizes="128x128" href="/img/favicon/solid/128.png"><link rel="apple-touch-icon-precomposed" sizes="160x160" href="/img/favicon/solid/160.png
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 37 30 78 37 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 74 69 6e 79 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 31 35 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 73 71 75 61 72 65 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 77 69 64 65 33 31 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 77 69 64 65 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 Data Ascii: "msapplication-square70x70logo" content="/img/favicon/ms/tiny.png"><meta name="msapplication-square150x150logo" content="/img/favicon/ms/square.png"><meta name="msapplication-wide310x150logo" content="/img/favicon/ms/wide.png"><meta name="msapplicat
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 20 61 64 64 72 65 73 73 3f 20 49 66 20 74 68 69 73 20 72 65 61 6c 6c 79 20 69 73 20 74 68 65 20 63 6f 72 72 65 63 74 20 62 65 67 69 6e 6e 69 6e 67 20 6f 66 20 79 6f 75 20 65 2d 6d 61 69 6c 2c 20 70 72 65 73 73 20 65 6e 74 65 72 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 75 70 6c 6f 61 64 46 61 69 6c 65 64 20 3d 20 22 57 65 20 61 72 65 20 73 6f 72 72 79 20 62 75 74 20 74 68 65 20 66 69 6c 65 20 75 70 6c 6f 61 64 20 63 6f 75 6c 64 6e 27 74 20 62 65 20 72 65 73 74 6f 72 65 64 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 63 6f 6e 66 69 72 6d 55 70 6c 6f 61 64 41 62 6f 72 74 20 3d 20 22 44 6f 20 79 6f 75 20 72 65 61 6c 6c 79 20 77 61 6e 74 20 74 6f 20 69 6e 74 65 72 72 75 70 74 20 74 68 65 20 75 70 6c 6f Data Ascii: address? If this really is the correct beginning of you e-mail, press enter."; MESSAGES.alerts.uploadFailed = "We are sorry but the file upload couldn't be restored."; MESSAGES.alerts.confirmUploadAbort = "Do you really want to interrupt the uplo
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 64 61 79 73 20 3d 20 22 64 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 68 6f 75 72 73 20 3d 20 22 68 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 6d 69 6e 75 74 65 73 20 3d 20 22 6d 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 73 65 63 6f 6e 64 73 20 3d 20 22 73 22 3b 0a 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 0a 09 09 64 61 74 61 2d 62 79 74 65 73 2d 70 65 72 2d 6b 62 3d 22 31 30 32 34 22 20 64 61 74 61 2d 73 65 6e 74 72 79 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 36 33 36 36 31 32 38 63 64 33 62 61 34 66 Data Ascii: ESSAGES.time.shortcuts.days = "d"; MESSAGES.time.shortcuts.hours = "h"; MESSAGES.time.shortcuts.minutes = "m"; MESSAGES.time.shortcuts.seconds = "s";</script></head><bodydata-bytes-per-kb="1024" data-sentry-url="https://6366128cd3ba4f
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 2f 61 3e 0a 09 09 09 3c 21 2d 2d 20 2e 61 63 63 6f 75 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 6e 61 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 20 6d 64 2d 69 6e 76 69 73 69 62 6c 65 20 75 6e 64 65 72 6c 69 6e 65 22 3e 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 2d 69 63 6f 6e 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 31 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 32 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 33 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 Data Ascii: /a>... .account --><nav><div class="navigation-trigger md-invisible underline"><span class="navigation-trigger-icon"><span class="line-1">-</span><span class="line-2">-</span><span class="line-3">-</span></span>
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 20 62 74 6e 2d 62 6c 6f 63 6b 22 20 68 72 65 66 3d 22 2f 22 3e 0a 09 09 09 09 09 09 09 09 09 53 77 69 74 63 68 20 74 6f 20 74 68 65 20 68 6f 6d 65 20 70 61 67 65 0a 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 70 3e 0a 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 3c 21 2d 2d 20 2e 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 2d 2d 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 20 2d 2d 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 09 09 09 09 0a 0a 09 09 09 09 09 09 3c 2f 73 65 63 74 69 6f 6e 3e 0a 09 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 68 72 3e 0a 0a 09 09 3c Data Ascii: n btn-primary btn-block" href="/">Switch to the home page</a></p></div>... .inline-block --></div>... .content-header --></div></section>... .content --><hr><
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 62 73 70 3b 64 61 79 73 3c 2f 68 32 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 69 6e 66 6f 2d 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 69 6e 66 6f 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 63 6f 6c 75 6d 6e 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 63 6f 6c 75 6d 6e 73 20 2d 2d 3e 0a 0a 0a 09 09 09 3c 6e 61 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 6e 61 76 69 67 61 74 69 6f 6e 22 3e 0a 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 43 6f 6e 74 61 63 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 63 6f 6e 74 61 63 74 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e Data Ascii: bsp;days</h2></div>... .info-content --></div>... .info --></div>... .column --></div>... .columns --><nav class="footer-navigation"><a title="Contact" class="underline" href="/contact"><span class="un
2024-11-15 16:38:20 UTC	1369	IN	Data Raw: 74 6c 65 3d 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 53 65 6e 64 73 70 61 63 65 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 73 65 6e 64 73 70 61 63 65 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e 53 65 6e 64 73 70 61 63 65 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 26 6d 69 64 64 6f 74 3b 0a 09 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 57 65 73 65 6e 64 69 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 77 65 73 65 6e 64 69 74 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e Data Ascii: tle="Alternative to Sendspace" class="underline" href="/sendspace"><span class="underline-item">Sendspace</span></a>·<a title="Alternative to Wesendit" class="underline" href="/wesendit"><span class="underline-item">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49987	188.114.96.3	443	5352	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-15 16:40:00 UTC	71	OUT	GET /data-package/XrlEIxYp/download HTTP/1.1 Host: filetransfer.io
2024-11-15 16:40:01 UTC	1198	IN	HTTP/1.1 403 Forbidden Date: Fri, 15 Nov 2024 16:40:01 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=8g49j7fl0i4vb28uoap7nvncej; expires=Fri, 29-Nov-2024 16:40:01 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Vary: X-Requested-With cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h3jgFGNcdMZk7eIyuYE5di9BwXG6VIZIXZRbMAWePYYZqVnaUOPQ63TX71qOllVzuzxo9T2y%2FGJy4o1CkZq50Cu7ot%2FOMhUAygIZ8I3FquhviwrIttMxmxg7i5gIPBaZRjs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e30ae3cd8ad1440-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1249&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=709&delivery_rate=2215761&cwnd=244&unsent_bytes=0&cid=65e613fcaa8741df&ts=769&x=0"
2024-11-15 16:40:01 UTC	171	IN	Data Raw: 33 34 36 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 37 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 38 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 31 Data Ascii: 346c<!DOCTYPE html>...[if lt IE 8 ]><html lang="cs" class="ie7 no-js"> <![endif]-->...[if lt IE 9 ]><html lang="cs" class="ie8 no-js"> <![endif]-->...[if lt IE 1
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 30 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 39 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 31 30 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 0a 09 20 20 64 61 74 61 2d 64 65 66 61 75 6c 74 2d 74 69 6d 65 7a 6f 6e 65 3d 22 45 74 63 2f 55 54 43 22 20 64 61 74 61 2d 6f 6c 64 2d 62 72 6f 77 73 65 72 2d 75 72 6c 3d 22 2f 75 6e 73 75 70 70 6f 72 74 65 64 2d 62 72 6f 77 73 65 72 3f 6f 6c 64 3d 31 22 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 2d 6c 61 79 6f 75 74 20 6e 6f 2d 6a 73 20 70 72 6f 64 22 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 09 3c 6d 65 74 61 Data Ascii: 0 ]><html lang="cs" class="ie9 no-js"> <![endif]-->...[if (gt IE 10)\|!(IE)]>...><html lang="cs" data-default-timezone="Etc/UTC" data-old-browser-url="/unsupported-browser?old=1" class="responsive-layout no-js prod">...<![endif]--><head><meta
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 39 36 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 31 32 38 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 36 30 78 31 36 30 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 31 36 30 2e 70 6e 67 22 3e 0a 0a Data Ascii: icon-precomposed" sizes="96x96" href="/img/favicon/solid/96.png"><link rel="apple-touch-icon-precomposed" sizes="128x128" href="/img/favicon/solid/128.png"><link rel="apple-touch-icon-precomposed" sizes="160x160" href="/img/favicon/solid/160.png">
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 37 30 78 37 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 74 69 6e 79 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 31 35 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 73 71 75 61 72 65 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 77 69 64 65 33 31 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 77 69 64 65 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d Data Ascii: pplication-square70x70logo" content="/img/favicon/ms/tiny.png"><meta name="msapplication-square150x150logo" content="/img/favicon/ms/square.png"><meta name="msapplication-wide310x150logo" content="/img/favicon/ms/wide.png"><meta name="msapplication-
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 72 65 73 73 3f 20 49 66 20 74 68 69 73 20 72 65 61 6c 6c 79 20 69 73 20 74 68 65 20 63 6f 72 72 65 63 74 20 62 65 67 69 6e 6e 69 6e 67 20 6f 66 20 79 6f 75 20 65 2d 6d 61 69 6c 2c 20 70 72 65 73 73 20 65 6e 74 65 72 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 75 70 6c 6f 61 64 46 61 69 6c 65 64 20 3d 20 22 57 65 20 61 72 65 20 73 6f 72 72 79 20 62 75 74 20 74 68 65 20 66 69 6c 65 20 75 70 6c 6f 61 64 20 63 6f 75 6c 64 6e 27 74 20 62 65 20 72 65 73 74 6f 72 65 64 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 63 6f 6e 66 69 72 6d 55 70 6c 6f 61 64 41 62 6f 72 74 20 3d 20 22 44 6f 20 79 6f 75 20 72 65 61 6c 6c 79 20 77 61 6e 74 20 74 6f 20 69 6e 74 65 72 72 75 70 74 20 74 68 65 20 75 70 6c 6f 61 64 3f 22 Data Ascii: ress? If this really is the correct beginning of you e-mail, press enter."; MESSAGES.alerts.uploadFailed = "We are sorry but the file upload couldn't be restored."; MESSAGES.alerts.confirmUploadAbort = "Do you really want to interrupt the upload?"
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 64 61 79 73 20 3d 20 22 64 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 68 6f 75 72 73 20 3d 20 22 68 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 6d 69 6e 75 74 65 73 20 3d 20 22 6d 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 73 65 63 6f 6e 64 73 20 3d 20 22 73 22 3b 0a 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 0a 09 09 64 61 74 61 2d 62 79 74 65 73 2d 70 65 72 2d 6b 62 3d 22 31 30 32 34 22 20 64 61 74 61 2d 73 65 6e 74 72 79 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 36 33 36 36 31 32 38 63 64 33 62 61 34 66 66 62 62 61 Data Ascii: GES.time.shortcuts.days = "d"; MESSAGES.time.shortcuts.hours = "h"; MESSAGES.time.shortcuts.minutes = "m"; MESSAGES.time.shortcuts.seconds = "s";</script></head><bodydata-bytes-per-kb="1024" data-sentry-url="https://6366128cd3ba4ffbba
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 09 09 09 3c 21 2d 2d 20 2e 61 63 63 6f 75 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 6e 61 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 20 6d 64 2d 69 6e 76 69 73 69 62 6c 65 20 75 6e 64 65 72 6c 69 6e 65 22 3e 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 2d 69 63 6f 6e 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 31 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 32 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 33 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 73 Data Ascii: ... .account --><nav><div class="navigation-trigger md-invisible underline"><span class="navigation-trigger-icon"><span class="line-1">-</span><span class="line-2">-</span><span class="line-3">-</span></span><s
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 6e 2d 70 72 69 6d 61 72 79 20 62 74 6e 2d 62 6c 6f 63 6b 22 20 68 72 65 66 3d 22 2f 22 3e 0a 09 09 09 09 09 09 09 09 09 53 77 69 74 63 68 20 74 6f 20 74 68 65 20 68 6f 6d 65 20 70 61 67 65 0a 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 70 3e 0a 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 3c 21 2d 2d 20 2e 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 20 2d 2d 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 20 2d 2d 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 09 09 09 09 0a 0a 09 09 09 09 09 09 3c 2f 73 65 63 74 69 6f 6e 3e 0a 09 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 68 72 3e 0a 0a 09 09 3c 66 6f 6f 74 Data Ascii: n-primary btn-block" href="/">Switch to the home page</a></p></div>... .inline-block --></div>... .content-header --></div></section>... .content --><hr><foot
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 64 61 79 73 3c 2f 68 32 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 69 6e 66 6f 2d 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 69 6e 66 6f 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 63 6f 6c 75 6d 6e 20 2d 2d 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 63 6f 6c 75 6d 6e 73 20 2d 2d 3e 0a 0a 0a 09 09 09 3c 6e 61 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 6e 61 76 69 67 61 74 69 6f 6e 22 3e 0a 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 43 6f 6e 74 61 63 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 63 6f 6e 74 61 63 74 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c Data Ascii: days</h2></div>... .info-content --></div>... .info --></div>... .column --></div>... .columns --><nav class="footer-navigation"><a title="Contact" class="underline" href="/contact"><span class="underl
2024-11-15 16:40:01 UTC	1369	IN	Data Raw: 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 53 65 6e 64 73 70 61 63 65 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 73 65 6e 64 73 70 61 63 65 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e 53 65 6e 64 73 70 61 63 65 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 26 6d 69 64 64 6f 74 3b 0a 09 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 57 65 73 65 6e 64 69 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 77 65 73 65 6e 64 69 74 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e 57 65 73 65 Data Ascii: "Alternative to Sendspace" class="underline" href="/sendspace"><span class="underline-item">Sendspace</span></a>·<a title="Alternative to Wesendit" class="underline" href="/wesendit"><span class="underline-item">Wese

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: QUOTATION_NOVQTRA071244#U00faPDF.scr.exePID: 5352, Parent PID: 4004

General

Target ID:	0
Start time:	11:38:11
Start date:	15/11/2024
Path:	C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_NOVQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x197b42a0000
File size:	187'392 bytes
MD5 hash:	C0FF92D3F8D44D4B144D62A25203FB54
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: QUOTATION_NOVQTRA071244#U00faPDF.scr.exePID: 5352, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD343F9CE7 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

XXH4, xrefs: 00007FFD343F9D2D
3S, xrefs: 00007FFD343F9D6A, 00007FFD343F9D83
xYH4, xrefs: 00007FFD343F9D07

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: XXH4$xYH4$3S
API String ID: 0-1634297494
Opcode ID: 0b5adb2b48ad2ed6b72365a56e2d6b2d3498e32580cc6b8d6fc54fc2ff505b29
Instruction ID: 6f24f855e631b6bf9a2dd60102d1bf1f897b4a4d03f4507c695b136e78c91c24
Opcode Fuzzy Hash: 0b5adb2b48ad2ed6b72365a56e2d6b2d3498e32580cc6b8d6fc54fc2ff505b29
Instruction Fuzzy Hash: 1F219A22B0D9464FDB95F72C84A957837E1EFAA25170600B6E50DCB2F3EE2CAC429750

Function 00007FFD343F9F8B Relevance: 3.8, Strings: 3, Instructions: 68COMMON

Download Yara Rule

Strings

XXH4, xrefs: 00007FFD343F9FD3
@_H4, xrefs: 00007FFD343F9FA4
[H4, xrefs: 00007FFD343F9FF9

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: @_H4$XXH4$[H4
API String ID: 0-1646419727
Opcode ID: aec514076a81eab9edbf82b5af0e6f0e2ed17f96ae5267752a3c92eba1f9296d
Instruction ID: 472efcaa6effdeb8b0537081027f49d06e32bf955c34d0c4a7e10dbbdd6243a5
Opcode Fuzzy Hash: aec514076a81eab9edbf82b5af0e6f0e2ed17f96ae5267752a3c92eba1f9296d
Instruction Fuzzy Hash: 9511CD23B09D464FEBC4FB2C94A95B863D1EFAA35574500B6E909D73A2ED3CAC514740

Function 00007FFD343F6069 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

pNH4, xrefs: 00007FFD343F606A

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: pNH4
API String ID: 0-694939378
Opcode ID: 674b1cdfedf76bdbd15eef4a7ad0fdecc5785f7335cb510431ab42cf90d79d83
Instruction ID: 199318c60336724ec54c7aeae683ec1d8464dedce4f1b2cac4b07ec60395f808
Opcode Fuzzy Hash: 674b1cdfedf76bdbd15eef4a7ad0fdecc5785f7335cb510431ab42cf90d79d83
Instruction Fuzzy Hash: A321F832B4D9564FE745EB2898A07B977E2EFD6210F1901BAC449DB2E2DE3C5C468740

Function 00007FFD343F8210 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

8WH4, xrefs: 00007FFD343F8251

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 8WH4
API String ID: 0-1681655519
Opcode ID: bf6a682c57ae9204a35eed1ee4f603aa2494752ea8b4e8af7c9129c1e79a94b7
Instruction ID: 1c5a7443f39a235d100cf1ce633452a473ee13b2c7c4e93cef443c795fc4da9a
Opcode Fuzzy Hash: bf6a682c57ae9204a35eed1ee4f603aa2494752ea8b4e8af7c9129c1e79a94b7
Instruction Fuzzy Hash: A811262298E7C92FE74797645C791E97FB0EF93200F0A00EBD499CB093DA2D2915C312

Function 00007FFD343F83A5 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

8WH4, xrefs: 00007FFD343F83B0

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID: 8WH4
API String ID: 0-1681655519
Opcode ID: 1c4156dbc1e3e99dfcb8e1f2cb26fe84ea7dabefb1023b90e73a9d4145b7f521
Instruction ID: 7cfe33b478fcb8aa9c6ac286639cfe89c0d29787bde399c68c5ccd04b7ce6fc6
Opcode Fuzzy Hash: 1c4156dbc1e3e99dfcb8e1f2cb26fe84ea7dabefb1023b90e73a9d4145b7f521
Instruction Fuzzy Hash: 8F01DF3378C60A4FF61CB608A8955B87381EF92320F54057AD24AC76A2DA3EF412A740

Function 00007FFD343FBF95 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e555e56cf78865104ef99290df84903603f22b4f298e862a8e2537f08328f44
Instruction ID: 04e31a4133db7a2ad320b65f3b0cc2c9c41104fcfb0673695e9a4b0c3d6febd2
Opcode Fuzzy Hash: 5e555e56cf78865104ef99290df84903603f22b4f298e862a8e2537f08328f44
Instruction Fuzzy Hash: 21912D72E4D7494FEB55EF6888A51E9BBA0FF66310F08417BD048D7193CA38A805C7C1

Function 00007FFD343FC0D5 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ca4dc661e5d1a6d9eeeff479357ac5b3a57f1f2fe8a5633d9c28d9e96af863
Instruction ID: c1de812ae72d34ce991d5a5d35d93c2df45c3d78f76ac2edf35c03a6284a7cbf
Opcode Fuzzy Hash: 56ca4dc661e5d1a6d9eeeff479357ac5b3a57f1f2fe8a5633d9c28d9e96af863
Instruction Fuzzy Hash: A1519F31908B4C8FDB59EF9888556EDBBF1FF99310F0482ABD449D7256CA34A845CB82

Function 00007FFD343F24E5 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284479373451b404fe31cfb09b45b67240be9f3b675cc9c809fffaca237ff598
Instruction ID: b455be4ce5d2e2f3afc9757562d7e2ab46fa938c4e04126269fee23638f8d51c
Opcode Fuzzy Hash: 284479373451b404fe31cfb09b45b67240be9f3b675cc9c809fffaca237ff598
Instruction Fuzzy Hash: EE614933A4C6894FF761A72488716F57BE0EF47320F0502BAD58DC71D2DD6E680A9781

Function 00007FFD343F4758 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e144743b3f818c601da80efe49c78a931cb65a95b2e81e8e846d341105c188
Instruction ID: b8de279b6f1d5b0f467be3c076bdc911318b3efedc50f4fdd95cf94070cd4896
Opcode Fuzzy Hash: e4e144743b3f818c601da80efe49c78a931cb65a95b2e81e8e846d341105c188
Instruction Fuzzy Hash: AE51A062A4E3C60FE757AB7848756657FE1AF57210F0A00FBD588CB0E3DA2D9845C352

Function 00007FFD343F2B78 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e1c8b07db6331408aa096d3603a7de84232ead51237602dad009e75cf3f0f7
Instruction ID: 163df491fa0a83ed92599d2fa41f3c6ec3df52b3927dc20776420ff541039701
Opcode Fuzzy Hash: 56e1c8b07db6331408aa096d3603a7de84232ead51237602dad009e75cf3f0f7
Instruction Fuzzy Hash: D2510132A4DB858FD717A76458665E93FF0EF47320B0901EBC489CB093D92D6847C392

Function 00007FFD343F239D Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb2a732967c838ec886f0ad98b987e6144d31cfbfa9734fba896ad2c9b0c685
Instruction ID: 4418b33a8622c9d45671eedb7d9596a984073158f2493ec079d865b8c01c7c48
Opcode Fuzzy Hash: 2cb2a732967c838ec886f0ad98b987e6144d31cfbfa9734fba896ad2c9b0c685
Instruction Fuzzy Hash: 3841876294E7C18FE753977488B22907FB0AF17214B1E84EBC4C5CF0E7D56A588AD362

Function 00007FFD343F085D Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c79f1a605b30dc20ad3a78ebe514182cd835ece20616b48338ba444573da45
Instruction ID: 7c76ea7adb92c14d4b7c447f11c55977a0661286c803ae12a52466b18177cd04
Opcode Fuzzy Hash: 19c79f1a605b30dc20ad3a78ebe514182cd835ece20616b48338ba444573da45
Instruction Fuzzy Hash: 8441BA23A8D6C64FF762673848B11E97FA0AF43354F4901FAC699CB0E3E96C68459781

Function 00007FFD343FA3A5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a96c77c04e600e788e38e8b1a3bbf5b39f89be2f421a51c8d80bfedd45f783c
Instruction ID: eb141977547085e543c75bc2c520852a38a48ee2eac1516bfc03671a3db03304
Opcode Fuzzy Hash: 4a96c77c04e600e788e38e8b1a3bbf5b39f89be2f421a51c8d80bfedd45f783c
Instruction Fuzzy Hash: C531043364C6854FEB19EE2488A0AA53BE1EF86710B1900AED54EC7292CA3CA802D711

Function 00007FFD343F5445 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f6597b8d01e63d13d1f99613d2c50cfa01c39cb8f77050f86d96cb192475df
Instruction ID: 587b52adb3e03361493bafdaf43c36d121a9dc3555a768fe5d26482249627d58
Opcode Fuzzy Hash: 92f6597b8d01e63d13d1f99613d2c50cfa01c39cb8f77050f86d96cb192475df
Instruction Fuzzy Hash: F431C432B4D6468FEB95EA54C8A17A837E2EF86310F1900FAC44ADB2D3DE7C5845D701

Function 00007FFD343F255D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b341efed97aa7525a4f4f7f4ea2d5356957b726f02907d6ad224db86d12d0169
Instruction ID: da9cb989bafefaf0f344ce995be91edc0eef7faba4bdb40af6ce03eee1cd504d
Opcode Fuzzy Hash: b341efed97aa7525a4f4f7f4ea2d5356957b726f02907d6ad224db86d12d0169
Instruction Fuzzy Hash: 6B21F523E8C55E8AF7B0B62848B16F976D0EF46310F040176D64CC30C2DD7E691A2681

Function 00007FFD343F3CB8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c1f77b967cea7ad3f0a8b8e873c2f31bd1bea0146a68c576203efb2d9d33fe
Instruction ID: 6ba28103e9ca88235f75d131be0230408a98b141c8a30f8a33a2ec80209e865d
Opcode Fuzzy Hash: 36c1f77b967cea7ad3f0a8b8e873c2f31bd1bea0146a68c576203efb2d9d33fe
Instruction Fuzzy Hash: 75119422B0C8094FEBD5E66C44A537D2AD2EFDA790F184075E04EDB39ADE699C035781

Function 00007FFD343F26E8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07653a5c54be78b9560a19c4e2b5884fedca7943f8c7a63575c2ffa0e6c03d8d
Instruction ID: 80622bacc96116521f8a88d913187d959e2892a53294965fb84f0281f7f1e718
Opcode Fuzzy Hash: 07653a5c54be78b9560a19c4e2b5884fedca7943f8c7a63575c2ffa0e6c03d8d
Instruction Fuzzy Hash: 7611E332B4C646CFE741EB54C8A03A937A3EF86314F19017AC449DF1D2CA3D9846C751

Function 00007FFD343F7D50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24de4026f9ca65b3260fc2c247027f169bc534f7c210c48b1d5e690e7765badb
Instruction ID: 34311e029e408d8b484e186d215d51018868129b9a1986f4eedd842f2089d7ce
Opcode Fuzzy Hash: 24de4026f9ca65b3260fc2c247027f169bc534f7c210c48b1d5e690e7765badb
Instruction Fuzzy Hash: 14013122A8D7D11FE792977854A27A43FE19F47220F4A00EBD188CF1D3DA6C584A9356

Function 00007FFD343F8289 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa3789a37f33f79ad27305297b1c21d1e851003419d8869283254ab744e1992
Instruction ID: 4861e8f2b46e45b2d1b0afde2d52d322901e161d21b23f62015a2fcd0ebe28f3
Opcode Fuzzy Hash: cfa3789a37f33f79ad27305297b1c21d1e851003419d8869283254ab744e1992
Instruction Fuzzy Hash: 7901D823B4E6814FE78A96A858712983F91EF86220B0E00F7C489CF1D3D63C58518351

Function 00007FFD343F8790 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73775068430d454207e11d8142591d861ddc7ddf5099a6fdbe22c38e74d3f641
Instruction ID: 462376e163cc283764eb20a1b9b81a9a6bda7be2e7cda8e0ad66e200b979e3c5
Opcode Fuzzy Hash: 73775068430d454207e11d8142591d861ddc7ddf5099a6fdbe22c38e74d3f641
Instruction Fuzzy Hash: 78F0A42298E6A10FF76962B959A67D53BA0DF03760F0900FBD848CB093D61D4C8A93D6

Function 00007FFD343FACAA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fc801f13b4639e1b48da5f44057e8f8033426f3e472a324ff130ec45ff803a
Instruction ID: 928d9c1d096aab75482ef611cd696ebef6fab9c065d066bbe57ebf3aaad41da0
Opcode Fuzzy Hash: d8fc801f13b4639e1b48da5f44057e8f8033426f3e472a324ff130ec45ff803a
Instruction Fuzzy Hash: E201A73160D7868FD746DF2888656993BE2EF86324F1900AED88ACF1D3CA3C9C02C704

Function 00007FFD343F8894 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e29b0099fc575d498cd8c4f29534bf91177441dc5ef897dc1d30935a4eb30b
Instruction ID: 0cd1b43be8f9b01679b4a98e0b1e9156de248e7b37ab332593abf9a1b6ef2e02
Opcode Fuzzy Hash: a5e29b0099fc575d498cd8c4f29534bf91177441dc5ef897dc1d30935a4eb30b
Instruction Fuzzy Hash: 88F0B432B4C6054FE71CEE28945517973D1FB5A300F51423FD45BC3691DF38A4115684

Function 00007FFD343F8771 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc2b65fe6baf6c9b916fbbd67c731efdbaf20146c3dff5310767ce25dc36988
Instruction ID: 83f34d30122c3376af29917c857a736aab233596b80be0631fe89b6403523db7
Opcode Fuzzy Hash: 4cc2b65fe6baf6c9b916fbbd67c731efdbaf20146c3dff5310767ce25dc36988
Instruction Fuzzy Hash: FFF08923D8EAE20FF756256945E12946FA0DF13750F0904F6C585CB493DA1D585993C1

Function 00007FFD343F08A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1a88b1eeca786a51b6c6fe93b22d440e1f584481f7e10504bdea31cf2120a5
Instruction ID: 8330c36ecede0ed3b117d46d842e518813e03e00902ef4c173f48585333bb49f
Opcode Fuzzy Hash: 4d1a88b1eeca786a51b6c6fe93b22d440e1f584481f7e10504bdea31cf2120a5
Instruction Fuzzy Hash: E3F0F82298E7C80FE75366240CB10987FB0AE43200B4E01E7C688CB0A3E51D59089352

Function 00007FFD343F8BA7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf268e4849675f31e6038fcdff00e9296bf6db634674f75056ecc1b42c71bec7
Instruction ID: c6f2ead37440fc50c10bc9a9341e132e9c6c094b727cbc0fc6b0f5bc090049c5
Opcode Fuzzy Hash: cf268e4849675f31e6038fcdff00e9296bf6db634674f75056ecc1b42c71bec7
Instruction Fuzzy Hash: 16F0C232B4C5058FE709DB14D8A06E977E2EF8A314F2901BAC00ADB296CA3C6C02D710

Function 00007FFD343F05A8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae570d117ac4ba5093afe92dfd381238f3c85f702cf7c74fdacdba1a00cc3f99
Instruction ID: 40d0b15ec011d46cda7aa79f460df471165fe3d9ed565ba71d261b21dae1e9bf
Opcode Fuzzy Hash: ae570d117ac4ba5093afe92dfd381238f3c85f702cf7c74fdacdba1a00cc3f99
Instruction Fuzzy Hash: 69E02232B481040BD7A4B51CEC91BAE32D6DBC7320FA4073BE40EC3289E9E8A98143C5

Function 00007FFD343F61BA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37e2924acc36e7927a8fb241943b35ce5715fd2397cdb9d25f221c35beec039
Instruction ID: e97473d525bc9ee37f86ad2d70aa5bb1c8c9da1f9639b7dacf3f77665098177a
Opcode Fuzzy Hash: f37e2924acc36e7927a8fb241943b35ce5715fd2397cdb9d25f221c35beec039
Instruction Fuzzy Hash: 63F0827860D6078FE70DCBA4C4A05A977E2AF45310F1431ACC50BEF5C1CE359801CB04

Function 00007FFD343FA4A7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf6ded4e6605b65d3ff395ef14ba9780b9b93152cbb939082ab5ac26cd50136
Instruction ID: ebe68ae6e243c74ff8aef10ee2542f5f68b42b9b8a85434e04c036741b79f0e5
Opcode Fuzzy Hash: aaf6ded4e6605b65d3ff395ef14ba9780b9b93152cbb939082ab5ac26cd50136
Instruction Fuzzy Hash: 22F0A72072CB464FD749BB7C40625A9B2C2FF84310B1407A9E88ED71C7DE3CD811C685

Function 00007FFD343F3AD2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a78d57f44fc8fa553cf388d135fa89ea7562df4ac6b0b9089959132518466a
Instruction ID: beff0db4d0d32077020b995a611cf5efdff444941437fdff8f67bb90a9f994ac
Opcode Fuzzy Hash: 02a78d57f44fc8fa553cf388d135fa89ea7562df4ac6b0b9089959132518466a
Instruction Fuzzy Hash: 77F0B43274E6814FEB02EB1884B05A83F629F43324F4E42E9C585DF1E7D93C9449C381

Function 00007FFD343F56E2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb53ad7393b3d26497b1fd5a2d4153bb4cfe7c690ecf394f7e1fef9a4fd7f284
Instruction ID: 815da5be9d16eeaf9cab12ae0974fe851fcd0796626cc2a55762cbfbe0856385
Opcode Fuzzy Hash: fb53ad7393b3d26497b1fd5a2d4153bb4cfe7c690ecf394f7e1fef9a4fd7f284
Instruction Fuzzy Hash: D6E0867D98481F8EFF64D729E4E077E72E0AF1D302F51316A804BCF191CE3A55408600

Function 00007FFD343F64AA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2e18e85825b997bef01ebf186ac4365a0146b6b035a0189dee7e1ce4c1a44c
Instruction ID: 66d8535f74ff9f1488996be8776a11c31118267661cc5afd8a24a9e7f7c663bb
Opcode Fuzzy Hash: cd2e18e85825b997bef01ebf186ac4365a0146b6b035a0189dee7e1ce4c1a44c
Instruction Fuzzy Hash: E2F08232B4DA594FE781EB18C8B46A837A2AF86310F2A02B5C44DCB2D3C93C69458745

Function 00007FFD343F30C1 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90aa1f04f3b682c8bf36095ef09d44059aef6e6e1b7ec90a170f946a9ba58a2
Instruction ID: 2ac689704afca72e516dafb05a8d94177ed0330dd51c579b50a3c0226ad8c8de
Opcode Fuzzy Hash: a90aa1f04f3b682c8bf36095ef09d44059aef6e6e1b7ec90a170f946a9ba58a2
Instruction Fuzzy Hash: E3F0E532A8C2428FF706AA1884A06D937D2EF5A320F1A01F9D48DCB193C93C5D018294

Function 00007FFD343FADEC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82e9b4e9bbdbf470d34f55f556d8c6bd3f1d890f248e2c030f0c0348bbee9e5
Instruction ID: 7007573e9313f22116ac32049a2275422e62499dc6be7680b3c36cd6fac0bf71
Opcode Fuzzy Hash: b82e9b4e9bbdbf470d34f55f556d8c6bd3f1d890f248e2c030f0c0348bbee9e5
Instruction Fuzzy Hash: 4FE06D2172CA064FDB49BB7C84629E972D6FF99320B5905B9E40EDB1D7DE38D802CB40

Function 00007FFD343F2ECD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124233c8b03415a399e2400359253765da9fb06faa8001a64aa90fa4f98e9726
Instruction ID: b421a2ae4f2b10759cb7c88eea12737597de5810dd86efe8d650d7ec39ebeec2
Opcode Fuzzy Hash: 124233c8b03415a399e2400359253765da9fb06faa8001a64aa90fa4f98e9726
Instruction Fuzzy Hash: A9D05E23F9481E4EFB54FBB828665FDB2A9EFC9200F904436E50DD3083DD2E29111281

Function 00007FFD343F36ED Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684f3a084924830f08ea8a96dec04e6c7c0fd339d409ca818765dc8de0ac9e93
Instruction ID: be212216a82c1252c4078d53e1eadb8a35568511421e5ec28f7e59ebbfa99b10
Opcode Fuzzy Hash: 684f3a084924830f08ea8a96dec04e6c7c0fd339d409ca818765dc8de0ac9e93
Instruction Fuzzy Hash: C9D05E23F94C1E0EEB54B7F82C665FDB2A9EF89200F904476E50EC3083DD2D69150682

Function 00007FFD343F62DF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e3c81f0ab3393e1f13c254e693061ce6996324588379704b4f34089bc7e515
Instruction ID: c23658f48ac0fe416c5a015f73a237ec62a6073314e3ca024e7a019c3b6a6bf7
Opcode Fuzzy Hash: f6e3c81f0ab3393e1f13c254e693061ce6996324588379704b4f34089bc7e515
Instruction Fuzzy Hash: 9BE08C31F185084AE76096A8845E36CF3A2EF91221F2447ABC02EC3196DE7988839280

Function 00007FFD343F7DBF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39841af52d0d7d81f294a89b51396a8ee39ed227caa1b311d931312ef0f8ce2
Instruction ID: 4ccd5f01d43fad59a486a419fb124e98fcd3b7684d021e0cb898cc46c9818cd4
Opcode Fuzzy Hash: e39841af52d0d7d81f294a89b51396a8ee39ed227caa1b311d931312ef0f8ce2
Instruction Fuzzy Hash: F3E0C223BDC5814BF781622814B1B7C20839FC6250F55007E911DCB1D7CE7C5C015341

Function 00007FFD343F31A6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd6f649b9f866336b0326c40c2564dfcb6db0c392f1696303a12c6ac1a1c9ca
Instruction ID: 7a422bc6dc02e406a4e0b02c8e3744ef6fa2f4d4bbcd7f92c4a09583459b6af1
Opcode Fuzzy Hash: efd6f649b9f866336b0326c40c2564dfcb6db0c392f1696303a12c6ac1a1c9ca
Instruction Fuzzy Hash: F5D05E31B0C5888FE346DBA888607D93BE2DF8A350F1D41B89889DF197C5788842C390

Function 00007FFD343F6B0C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462ec4160fb837856641300449eb9e08604606bfdd6171866f0e0c9195956d6f
Instruction ID: 403e4b2ceddfcc43b59781738625e0c7f446ddc7d2a39f937e73a478a149b9fd
Opcode Fuzzy Hash: 462ec4160fb837856641300449eb9e08604606bfdd6171866f0e0c9195956d6f
Instruction Fuzzy Hash: DDE01262E5852ACBEB94DA19D8E07BC72E4AF11311F440076E40DD31C1DA7C5944AF52

Function 00007FFD343F28E7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469d093fb5ef6c284863ce6b71538fd73bd4a48e481b7ed7551470ce744f85e4
Instruction ID: 98e60f1144344730b5114a5e859191e83b2a0fc41e3650a3379612b7bfe9c439
Opcode Fuzzy Hash: 469d093fb5ef6c284863ce6b71538fd73bd4a48e481b7ed7551470ce744f85e4
Instruction Fuzzy Hash: C0D09231658A4ECBDF44EE08CCA06EA33A2FF99305F100839E51AD7291CA7DE815EB50

Function 00007FFD343F2E2E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced4e03f57a28df31c37e7dfa3b2834f8f68a2fa3ddfa3d67269a620f291a50d
Instruction ID: 36f8a83019a936e1f8f24d33cc60fe6426ac997059871c135704ed8d3e278768
Opcode Fuzzy Hash: ced4e03f57a28df31c37e7dfa3b2834f8f68a2fa3ddfa3d67269a620f291a50d
Instruction Fuzzy Hash: B6C0805354C8054BEF90660C54D14D17351DF73384F4400E2E948D6147FD2C6555DDC0

Function 00007FFD343F6776 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf7f8c5b4b8c64152b6301c06544e66085c23ac56d1da21db8e5555bd61056c
Instruction ID: 5630e1bb4b4576e559c783ff300bb4eb5128da7107f565daad62463e112baf82
Opcode Fuzzy Hash: bbf7f8c5b4b8c64152b6301c06544e66085c23ac56d1da21db8e5555bd61056c
Instruction Fuzzy Hash: ECD01230B597464FD3C6CE2C44503893AE3AF85320F0940BD444DDF162D6348841C705

Function 00007FFD343F672E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccd38878b6000bee38b6f3346a70ab7fb03d499f7bcbf5df294699247d594a5
Instruction ID: 2c8b38efe55fe29bcb5844199048b43186139c0fbdcd47bd0d1cd7c2da15af15
Opcode Fuzzy Hash: 5ccd38878b6000bee38b6f3346a70ab7fb03d499f7bcbf5df294699247d594a5
Instruction Fuzzy Hash: 89C01231A49A188FD3A0EB24C0903A8B2A2AF9A300F3040F9C10DD3292CA39A8C19F00

Function 00007FFD343F3C1C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a21f739966a1553dd4a2b922236be62b2ccdd2b2cc3c419219326c19c33f4a
Instruction ID: 1fb44ffc1eb2cebbad250c2d49f1bc0d68face358a1fbd5b9e72ad4aac04ff57
Opcode Fuzzy Hash: 49a21f739966a1553dd4a2b922236be62b2ccdd2b2cc3c419219326c19c33f4a
Instruction Fuzzy Hash: B3C04C61F0854DCBF764EB59C4A036865929FDA310F184139810DD72D5DDBC58815756

Function 00007FFD343F6AF9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa92ed68d2f8daa5cb15eb969a711750194a513a1ec119936546ed303319cb6b
Instruction ID: c40c64430538f56e9b968068b042a3df5847fb3bc0066230c74f10229c55954a
Opcode Fuzzy Hash: aa92ed68d2f8daa5cb15eb969a711750194a513a1ec119936546ed303319cb6b
Instruction Fuzzy Hash: 23B01212D2881949E394DA5888607AC50F0EF04300F450572D40DD3182DA6C14005640

Function 00007FFD343F8EF7 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310166e3a2a44fb15108edde102e041a1813e72ec762473183a8e648827ced89
Instruction ID: 0f8cebf6560eee86a52c067cfdb2e7ae23f275349f2a451661f7727541ffe2b6
Opcode Fuzzy Hash: 310166e3a2a44fb15108edde102e041a1813e72ec762473183a8e648827ced89
Instruction Fuzzy Hash: C2A002B3E5C10E9AE76C9A6988543ED65E19F49314F258036C21EE3180D67C98517F25

Non-executed Functions

Function 00007FFD343F9307 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4025533621.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd343f0000_QUOTATION_NOVQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20802dde330b096809a5033df3ef4be0fe3adfe56ddebe253e0bb369174256a9
Instruction ID: ea3682ee369fed30d0dfbaac35a9fca18dac07b00746aee7294ffd3e28e6b4b4
Opcode Fuzzy Hash: 20802dde330b096809a5033df3ef4be0fe3adfe56ddebe253e0bb369174256a9
Instruction Fuzzy Hash: D781286244E3C24FD3138B748CB6592BFB19F13224B0E85EBC4C5CB4A3E55D685AD762

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_NOVQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
QUOTATION_NOVQTRA071244#U00faPDF.scr.exe