Edit tour

Windows Analysis Report
RICHIESTA D'OFFERTA.exe

Overview

General Information

Sample name:	RICHIESTA D'OFFERTA.exe
Analysis ID:	1562482
MD5:	30261dc03eec3dbff1a9108a879af3ac
SHA1:	6648a6d4c108a7345ab46772a6870304b6a635cf
SHA256:	2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RICHIESTA D'OFFERTA.exe (PID: 2124 cmdline: "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe" MD5: 30261DC03EEC3DBFF1A9108A879AF3AC)

RICHIESTA D'OFFERTA.exe (PID: 4228 cmdline: "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe" MD5: 30261DC03EEC3DBFF1A9108A879AF3AC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1674952910.0000000006A40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 4228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 4228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x33095:$s2: GetPrivateProfileString 0x326cb:$s3: get_OSFullName 0x33e9d:$s5: remove_Key 0x34033:$s5: remove_Key 0x34f6a:$s6: FtpWebRequest 0x35fd1:$s7: logins 0x36543:$s7: logins 0x39220:$s7: logins 0x39300:$s7: logins 0x3adcd:$s7: logins 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34261:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3437d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34459:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3457f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31295:$s2: GetPrivateProfileString 0x308cb:$s3: get_OSFullName 0x3209d:$s5: remove_Key 0x32233:$s5: remove_Key 0x3316a:$s6: FtpWebRequest 0x341d1:$s7: logins 0x34743:$s7: logins 0x37420:$s7: logins 0x37500:$s7: logins 0x38fcd:$s7: logins 0x3809a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34261:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3437d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34459:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3457f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31295:$s2: GetPrivateProfileString 0x308cb:$s3: get_OSFullName 0x3209d:$s5: remove_Key 0x32233:$s5: remove_Key 0x3316a:$s6: FtpWebRequest 0x341d1:$s7: logins 0x34743:$s7: logins 0x37420:$s7: logins 0x37500:$s7: logins 0x38fcd:$s7: logins 0x3809a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x33095:$s2: GetPrivateProfileString 0x326cb:$s3: get_OSFullName 0x33e9d:$s5: remove_Key 0x34033:$s5: remove_Key 0x34f6a:$s6: FtpWebRequest 0x35fd1:$s7: logins 0x36543:$s7: logins 0x39220:$s7: logins 0x39300:$s7: logins 0x3adcd:$s7: logins 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7740f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x77481:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7750b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7759d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x77607:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x77679:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7770f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x7779f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x33095:$s2: GetPrivateProfileString 0x744b5:$s2: GetPrivateProfileString 0x326cb:$s3: get_OSFullName 0x73aeb:$s3: get_OSFullName 0x33e9d:$s5: remove_Key 0x34033:$s5: remove_Key 0x752bd:$s5: remove_Key 0x75453:$s5: remove_Key 0x34f6a:$s6: FtpWebRequest 0x7638a:$s6: FtpWebRequest 0x35fd1:$s7: logins 0x36543:$s7: logins 0x39220:$s7: logins 0x39300:$s7: logins 0x3adcd:$s7: logins 0x773f1:$s7: logins 0x77963:$s7: logins 0x7a640:$s7: logins 0x7a720:$s7: logins 0x7c1ed:$s7: logins 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xdae5f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x27738f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2b87af:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xdaed1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x277401:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2b8821:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xdaf5b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x27748b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2b88ab:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xdafed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x27751d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2b893d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xdb057:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x277587:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2b89a7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xdb0c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2775f9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2b8a19:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xdb15f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x27768f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2b8aaf:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0xd7f05:$s2: GetPrivateProfileString 0x274435:$s2: GetPrivateProfileString 0x2b5855:$s2: GetPrivateProfileString 0xd753b:$s3: get_OSFullName 0x273a6b:$s3: get_OSFullName 0x2b4e8b:$s3: get_OSFullName 0xd8d0d:$s5: remove_Key 0xd8ea3:$s5: remove_Key 0x27523d:$s5: remove_Key 0x2753d3:$s5: remove_Key 0x2b665d:$s5: remove_Key 0x2b67f3:$s5: remove_Key 0xd9dda:$s6: FtpWebRequest 0x27630a:$s6: FtpWebRequest 0x2b772a:$s6: FtpWebRequest 0xdae41:$s7: logins 0xdb3b3:$s7: logins 0xde090:$s7: logins 0xde170:$s7: logins 0xdfc3d:$s7: logins 0x277371:$s7: logins
0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0xd7885:$s5: Reverse 0x273db5:$s5: Reverse 0x2b51d5:$s5: Reverse 0xda3f5:$s6: BlockCopy 0x276925:$s6: BlockCopy 0x2b7d45:$s6: BlockCopy 0x2f8116:$s6: BlockCopy 0xd7b2a:$s7: ReadByte 0x27405a:$s7: ReadByte 0x2b547a:$s7: ReadByte 0x2f7f8e:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 29 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}

Multi AV Scanner detection for submitted file

Source: RICHIESTA D'OFFERTA.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RICHIESTA D'OFFERTA.exe

Joe Sandbox ML: detected

Source: RICHIESTA D'OFFERTA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: RICHIESTA D'OFFERTA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: GUjq.pdb source: RICHIESTA D'OFFERTA.exe
Source:	Binary string: GUjq.pdbSHA256> source: RICHIESTA D'OFFERTA.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 192.254.225.136 192.254.225.136
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.ercolina-usa.com

Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ercolina-usa.com
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.ercolina-usa.com
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RICHIESTA D'OFFERTA.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674836946.0000000005390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com8:5
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_0270D344	0_2_0270D344
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E60040	0_2_04E60040
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E60006	0_2_04E60006
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E67269	0_2_04E67269
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B6140	0_2_070B6140
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070BED98	0_2_070BED98
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070BB6D0	0_2_070BB6D0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B0559	0_2_070B0559
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B0560	0_2_070B0560
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B95F8	0_2_070B95F8
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B91C0	0_2_070B91C0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070BACD0	0_2_070BACD0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B9A21	0_2_070B9A21
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B9A30	0_2_070B9A30
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B482F	0_2_070B482F
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_051EEE18	2_2_051EEE18
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_051E3E68	2_2_051E3E68
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_051E4A80	2_2_051E4A80
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_051E41B0	2_2_051E41B0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B55AEC	2_2_06B55AEC
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B562F9	2_2_06B562F9
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B56308	2_2_06B56308
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B52110	2_2_06B52110
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B56FF0	2_2_06B56FF0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B6AEC0	2_2_06B6AEC0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B66288	2_2_06B66288
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B6C230	2_2_06B6C230
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B67A10	2_2_06B67A10
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B65270	2_2_06B65270
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B63138	2_2_06B63138
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B6E458	2_2_06B6E458
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B67330	2_2_06B67330
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B60006	2_2_06B60006
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B60040	2_2_06B60040
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B6597B	2_2_06B6597B

Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674952910.0000000006A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1675957811.00000000075B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1671636904.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1670425258.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1671636904.00000000028E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4125626222.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000440000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs RICHIESTA D'OFFERTA.exe
Source: RICHIESTA D'OFFERTA.exe	Binary or memory string: OriginalFilenameGUjq.exe@ vs RICHIESTA D'OFFERTA.exe

Source: RICHIESTA D'OFFERTA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: RICHIESTA D'OFFERTA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RICHIESTA D'OFFERTA.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Mutant created: NULL

Source: RICHIESTA D'OFFERTA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RICHIESTA D'OFFERTA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RICHIESTA D'OFFERTA.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process created: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process created: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: RICHIESTA D'OFFERTA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RICHIESTA D'OFFERTA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RICHIESTA D'OFFERTA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: GUjq.pdb source: RICHIESTA D'OFFERTA.exe
Source:	Binary string: GUjq.pdbSHA256> source: RICHIESTA D'OFFERTA.exe

Source: RICHIESTA D'OFFERTA.exe

Static PE information: 0xCFC4B207 [Sun Jun 16 14:39:03 2080 UTC]

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_0270F354 push esp; iretd	0_2_0270F3F1
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E6F4D7 pushfd ; iretd	0_2_04E6F4E6
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E659E3 push ss; ret	0_2_04E659E4
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E65A52 push edx; iretd	0_2_04E65A58
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_04E65A32 push edx; iretd	0_2_04E65A33
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B8C30 push eax; retf	0_2_070B8C31
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 0_2_070B8CB7 push esp; retf	0_2_070B8CB8
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_051E0C6D push edi; retf	2_2_051E0C7A
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B5F4E0 push es; ret	2_2_06B5F4F0
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B5B522 push es; ret	2_2_06B5B530
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Code function: 2_2_06B55500 push eax; ret	2_2_06B55501

Source: RICHIESTA D'OFFERTA.exe

Static PE information: section name: .text entropy: 7.940237919851289

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 48A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 7840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 8840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 89F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 99F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599107	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598410	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596826	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299874	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299655	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299531	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299421	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299291	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299170	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299044	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298927	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298784	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298664	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298538	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298434	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298328	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298218	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297999	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297890	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297778	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297671	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297562	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Window / User API: threadDelayed 7646			Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Window / User API: threadDelayed 2197			Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 2844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 6328	Thread sleep count: 7646 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 6328	Thread sleep count: 2197 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -599107s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598410s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -596826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299291s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -299044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298784s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298664s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298538s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298434s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -298109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -297999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -297890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -297778s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -297671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe TID: 7000	Thread sleep time: -297562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 599107	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598410	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598171	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596826	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299874	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299765	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299655	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299531	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299421	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299291	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299170	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 299044	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298927	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298784	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298664	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298538	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298434	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298328	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298218	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 298109	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297999	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297890	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297778	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297671	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Thread delayed: delay time: 297562	Jump to behavior

Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RICHIESTA D'OFFERTA.exe, 00000002.00000002.4125691089.000000000102C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Code function: 2_2_051E77E0 CheckRemoteDebuggerPresent,

2_2_051E77E0

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Memory written: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Process created: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe "C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 4228, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1674952910.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 4228, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RICHIESTA D'OFFERTA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3b40f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.3affb30.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RICHIESTA D'OFFERTA.exe PID: 4228, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.6a40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1674952910.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.RICHIESTA D'OFFERTA.exe.38be790.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	2 Obfuscated Files or Information	11 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	531 Security Software Discovery	Distributed Component Object Model	11 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RICHIESTA D'OFFERTA.exe	47%	ReversingLabs	Win32.Trojan.Leonem
RICHIESTA D'OFFERTA.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.sakkal.com8:5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ercolina-usa.com	192.254.225.136	true	true	unknown
api.ipify.org	104.26.12.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
ftp.ercolina-usa.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	RICHIESTA D'OFFERTA.exe	false		high
http://www.tiro.com	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ftp.ercolina-usa.com	RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ercolina-usa.com	RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RICHIESTA D'OFFERTA.exe, 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com8:5	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674836946.0000000005390000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RICHIESTA D'OFFERTA.exe, 00000002.00000002.4126679539.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	RICHIESTA D'OFFERTA.exe, 00000000.00000002.1674996373.0000000006A82000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.254.225.136	ercolina-usa.com	United States	46606	UNIFIEDLAYER-AS-1US	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562482
Start date and time:	2024-11-25 16:09:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RICHIESTA D'OFFERTA.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 111 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: RICHIESTA D'OFFERTA.exe

Simulations

Behavior and APIs

Time	Type	Description
10:09:55	API Interceptor	10267090x Sleep call for process: RICHIESTA D'OFFERTA.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.254.225.136	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse
	PURCHASE SPCIFICIATIONS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	LISTA DE COTIZACIONES.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	QUOTATION#5400.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATION#2800-QUANTUM MACTOOLS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	QUOTATION#2800-QUANTUM MACTOOLS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	2JHGWjmJ46.exe	Get hash	malicious	AgentTesla	Browse
	COTIZACI#U00d3N#08673.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	vD6qU34v9S.exe	Get hash	malicious	AgentTesla	Browse
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse
208.95.112.1	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	OC. 4515924646.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	windxcmd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	main.exe	Get hash	malicious	Blank Grabber, SilentXMRMiner, Xmrig	Browse	ip-api.com/json/?fields=225545
	_THALAT DEME DURUM.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DESIGN LOGO.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	Quote GVSE24-00815.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OC. 4515924646.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	windxcmd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	main.exe	Get hash	malicious	Blank Grabber, SilentXMRMiner, Xmrig	Browse	208.95.112.1
	_THALAT DEME DURUM.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DESIGN LOGO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	Quote GVSE24-00815.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
api.ipify.org	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Rooming list.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.240
	file.exe	Get hash	malicious	Unknown	Browse	172.67.187.240
	Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://vectaire.doclawfederal.com/uDLtT/	Get hash	malicious	HTMLPhisher	Browse	172.67.201.42
	pJKrbGSI.ps1	Get hash	malicious	LummaC	Browse	172.67.218.163
	https://pastebin.com/raw/0v6Vhvpb	Get hash	malicious	Unknown	Browse	104.20.4.235
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	https://docs.zoom.us/doc/5mbYcD6lRBK5O3HcDEXhFA?from=email	Get hash	malicious	Unknown	Browse	172.67.201.42
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	104.21.24.198
UNIFIEDLAYER-AS-1US	Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docx	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	108.179.192.137
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	192.254.239.1
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.144.157
	http://taerendil.free.fr/Kzf20FukxrNV0r0Xw3	Get hash	malicious	Unknown	Browse	216.172.172.72
	https://cgpsco.rahalat.net/conta	Get hash	malicious	Unknown	Browse	108.179.211.49
	https://google.lt/amp/taerendil.online.fr/gpfv9cqYcuejGaVElbEvNcI6wCkeo	Get hash	malicious	Unknown	Browse	216.172.172.72
	FGQ-667893.pdf	Get hash	malicious	Unknown	Browse	162.214.147.84
TUT-ASUS	fat098765678900.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OC. 4515924646.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	windxcmd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	main.exe	Get hash	malicious	Blank Grabber, SilentXMRMiner, Xmrig	Browse	208.95.112.1
	_THALAT DEME DURUM.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DESIGN LOGO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	Quote GVSE24-00815.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Rooming list.js	Get hash	malicious	Remcos	Browse	104.26.12.205
	https://vectaire.doclawfederal.com/uDLtT/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://pastebin.com/raw/0v6Vhvpb	Get hash	malicious	Unknown	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.12.205
	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	104.26.12.205
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	104.26.12.205
	https://go.dgdp.net/	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.93237602796032
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RICHIESTA D'OFFERTA.exe
File size:	748'544 bytes
MD5:	30261dc03eec3dbff1a9108a879af3ac
SHA1:	6648a6d4c108a7345ab46772a6870304b6a635cf
SHA256:	2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714
SHA512:	0b498b590bf825110a26574b93259b0922b38fb1a49454c83e87adb62091a8d1fd80f819e542baa13056e0d9171067b0b4fbf8d470fd509f0d4e95609dff6d36
SSDEEP:	12288:g/rYL3RbeXVdu9ZM/YJoDyVY25TdeH5GWjDRgyYf+6o1uT/Fn0Vy01:gDYL35eXVs/IYJ3lcG6D6yYf+6dTFN0
TLSH:	0DF412543768AF72DAB957FA6118D3C143F5E12B5232E3042FC7A1DB1A93B468E52B03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`..........J.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b7f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCFC4B207 [Sun Jun 16 14:39:03 2080 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7ef6	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb54a8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb5f50	0xb6000	95cb82c4fad6e7714d572c583ab1765a	False	0.9496882512019231	data	7.940237919851289	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x628	0x800	5ac05420970a2c66cf7c13ae2eee1764	False	0.33935546875	data	3.472567613396358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	48029cecb4f877338acc3d4a4dd7ed45	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb8090	0x398	OpenPGP Public Key			0.4217391304347826
RT_MANIFEST	0xb8438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 16:09:56.830830097 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:56.830959082 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:56.831084967 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:56.838166952 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:56.838200092 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.111713886 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.111805916 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.114995956 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.115006924 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.115298033 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.157872915 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.167747021 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.211330891 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.578527927 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.578614950 CET	443	49732	104.26.12.205	192.168.2.4
Nov 25, 2024 16:09:58.578707933 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.585153103 CET	49732	443	192.168.2.4	104.26.12.205
Nov 25, 2024 16:09:58.729787111 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:09:58.849798918 CET	80	49734	208.95.112.1	192.168.2.4
Nov 25, 2024 16:09:58.849885941 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:09:58.850001097 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:09:58.970230103 CET	80	49734	208.95.112.1	192.168.2.4
Nov 25, 2024 16:09:59.992763042 CET	80	49734	208.95.112.1	192.168.2.4
Nov 25, 2024 16:10:00.032911062 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:10:00.561253071 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:10:00.697858095 CET	80	49734	208.95.112.1	192.168.2.4
Nov 25, 2024 16:10:00.697923899 CET	49734	80	192.168.2.4	208.95.112.1
Nov 25, 2024 16:10:01.471052885 CET	49736	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.597625971 CET	21	49736	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.597827911 CET	49736	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.600704908 CET	49736	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.631367922 CET	49737	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.720932961 CET	21	49736	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.721107006 CET	49736	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.751446962 CET	21	49737	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.751570940 CET	49737	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.751919985 CET	49737	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.753160954 CET	49738	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.872134924 CET	21	49737	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.872289896 CET	49737	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.873106003 CET	21	49738	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.873378992 CET	49738	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.873378992 CET	49738	21	192.168.2.4	192.254.225.136
Nov 25, 2024 16:10:01.994009972 CET	21	49738	192.254.225.136	192.168.2.4
Nov 25, 2024 16:10:01.994144917 CET	49738	21	192.168.2.4	192.254.225.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 16:09:56.686515093 CET	49752	53	192.168.2.4	1.1.1.1
Nov 25, 2024 16:09:56.824246883 CET	53	49752	1.1.1.1	192.168.2.4
Nov 25, 2024 16:09:58.590365887 CET	65229	53	192.168.2.4	1.1.1.1
Nov 25, 2024 16:09:58.729048967 CET	53	65229	1.1.1.1	192.168.2.4
Nov 25, 2024 16:10:00.562087059 CET	64832	53	192.168.2.4	1.1.1.1
Nov 25, 2024 16:10:01.469573021 CET	53	64832	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 16:09:56.686515093 CET	192.168.2.4	1.1.1.1	0x3d8b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:09:58.590365887 CET	192.168.2.4	1.1.1.1	0x7c0e	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:10:00.562087059 CET	192.168.2.4	1.1.1.1	0xb35b	Standard query (0)	ftp.ercolina-usa.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 16:09:56.824246883 CET	1.1.1.1	192.168.2.4	0x3d8b	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:09:56.824246883 CET	1.1.1.1	192.168.2.4	0x3d8b	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:09:56.824246883 CET	1.1.1.1	192.168.2.4	0x3d8b	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:09:58.729048967 CET	1.1.1.1	192.168.2.4	0x7c0e	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 16:10:01.469573021 CET	1.1.1.1	192.168.2.4	0xb35b	No error (0)	ftp.ercolina-usa.com	ercolina-usa.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 16:10:01.469573021 CET	1.1.1.1	192.168.2.4	0xb35b	No error (0)	ercolina-usa.com		192.254.225.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	208.95.112.1	80	4228	C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 16:09:58.850001097 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 25, 2024 16:09:59.992763042 CET	175	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 15:09:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.12.205	443	4228	C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 15:09:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 15:09:58 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 15:09:58 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e829017f9ba42f8-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1762&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1637689&cwnd=232&unsent_bytes=0&cid=9701eac77d8c6807&ts=478&x=0"
2024-11-25 15:09:58 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Target ID:	0
Start time:	10:09:54
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"
Imagebase:	0x530000
File size:	748'544 bytes
MD5 hash:	30261DC03EEC3DBFF1A9108A879AF3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1674952910.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1672087688.00000000038A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:09:55
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RICHIESTA D'OFFERTA.exe"
Imagebase:	0x9c0000
File size:	748'544 bytes
MD5 hash:	30261DC03EEC3DBFF1A9108A879AF3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4126679539.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4126679539.0000000002DF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4124663414.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	235
Total number of Limit Nodes:	10

Executed Functions

Function 04E67269 Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77e2573bc375dc3cc43f5e471cbda2a25a1227ddf25cb2df6d3ae3b0f5eab98
Instruction ID: b87f4cf6fd061d83f2bb5d282cc8dfb7201583eae6b0969ded3348931dcfa336
Opcode Fuzzy Hash: e77e2573bc375dc3cc43f5e471cbda2a25a1227ddf25cb2df6d3ae3b0f5eab98
Instruction Fuzzy Hash: CCA2E634A40219CFDB64DF64C894AD9B7B2FF8A304F1191E9E9496B361DB31AE85CF40

Function 070BED98 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03333ab9d3b17960491bfeb19db6b6b33cb492b583cd1742d37c3ffa02b57e7
Instruction ID: ea23f161dc63a8671e244d6a05487c95ed2c5dbaca469e51a57e3f16808cc524
Opcode Fuzzy Hash: e03333ab9d3b17960491bfeb19db6b6b33cb492b583cd1742d37c3ffa02b57e7
Instruction Fuzzy Hash: A632AFB07012069FDB29DB69C994BEEB7F6AF89300F244569E505DB3A0CB30EE05CB51

Function 070B6140 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac02d504dbede4fe2e95fd5e81fea50718a21486ce05cc0b6b92547f688fa05f
Instruction ID: 8f3e3af669e45124f47e2e623fc22f1e564a84141b2c5115c3c9be43cd5749a6
Opcode Fuzzy Hash: ac02d504dbede4fe2e95fd5e81fea50718a21486ce05cc0b6b92547f688fa05f
Instruction Fuzzy Hash: AD2108B1D006189BEB28DFABC9453DEFAF7AFC9300F04C56AD509B6254DB7509468E90

Function 070B482F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6b923a346b9fa8ece7cc62c4d72258304e205885bfe0158a777eeff0591bf1
Instruction ID: 9af5b41936bec0c6ac2b053d2a1c23c0aa3bacaeaed7fe61e4e1df0663c92ecd
Opcode Fuzzy Hash: 8b6b923a346b9fa8ece7cc62c4d72258304e205885bfe0158a777eeff0591bf1
Instruction Fuzzy Hash: FC21EAB1E006189BEB18DFABCC006DEFAF7AFC9300F04C1B9D51966255EB340A458F61

Function 04E61793 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E61A02

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 15c22aa313094fd90a194fc0e7b7ad6560302c75000b24d6502eea820777db8d
Instruction ID: dbc1ec93190681b4e0336f80256056720ed4cd18eaa96dba6d63db8645a885d9
Opcode Fuzzy Hash: 15c22aa313094fd90a194fc0e7b7ad6560302c75000b24d6502eea820777db8d
Instruction Fuzzy Hash: FC9189B1C093899FDB06CFA5C8949CDBFB1FF0A340F16819AE445AB262D734994ACF51

Function 070BBE44 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070BC086

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 65e7ba2804e076328d66f476afb45d945becb98a743bb3b434abda188cf14c76
Instruction ID: 6cc6e8130968fb7c816e22a43c6835a9e21b68e2fcc8e97daa1a09a0c58fcecb
Opcode Fuzzy Hash: 65e7ba2804e076328d66f476afb45d945becb98a743bb3b434abda188cf14c76
Instruction Fuzzy Hash: B8A14EB1D0021ADFEB20DF68C8417DEBBF2BF45314F1486A9E858A7250DB749A85CF91

Function 070BBE50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070BC086

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9c27bc7bb23f069e9b5be731f86bef7f03c58c9aea13c7da304521fa8ade7bb1
Instruction ID: 65ddc1bd954431704ba1223ab742204c144f3d230bdb3b07857da22ed07d7e97
Opcode Fuzzy Hash: 9c27bc7bb23f069e9b5be731f86bef7f03c58c9aea13c7da304521fa8ade7bb1
Instruction Fuzzy Hash: 5B914DB1D0021ADFEB20DF68C8417DEBBF2BF45314F1486A9E858A7250DB749A85CF91

Function 0270AD88 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0270AFDE

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f17d761683a9e3dd2c3f7b725146e332c879f746e007cab6fb87196ff7846966
Instruction ID: b708070b6d166ac2f4080387768d9ed360b52ac2415b87057598655b079807aa
Opcode Fuzzy Hash: f17d761683a9e3dd2c3f7b725146e332c879f746e007cab6fb87196ff7846966
Instruction Fuzzy Hash: BC710270A00B05CFD724DF29D09575ABBF2BF88304F008A29D58AD7A90DB75E949CB90

Function 04E618F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E61A02

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e94fa165ab32ab8bace0b853dce6d684232051c0b5b06b3e382c86eb7c6381eb
Instruction ID: 0a1c486f1980d44111ffbd53bef86f49516ee2a94cf225d02b228f6721259cfe
Opcode Fuzzy Hash: e94fa165ab32ab8bace0b853dce6d684232051c0b5b06b3e382c86eb7c6381eb
Instruction Fuzzy Hash: A541C0B1D003499FDB15CF99C984ADEFBB5BF48354F24822AE819AB210D774A985CF90

Function 027044B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027059C9

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3961e527dc48654422f248d950232fda85d092329a750de2e4ab478f5bd01139
Instruction ID: 984c9e1328cf6d16e1b52b2304366d270badca5d867f91b263dbed02721b6b92
Opcode Fuzzy Hash: 3961e527dc48654422f248d950232fda85d092329a750de2e4ab478f5bd01139
Instruction Fuzzy Hash: 9D41D1B0C00619CFDB24DFAAC884B8EBBF5BF48304F64846AD409AB255DB756949CF90

Function 0270590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027059C9

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16d491daa9d274e88fdf5d53b9d522d0f1901b05ad643f2a42bf5218a3ee6cbe
Instruction ID: 5b481c12a98bdbb437468aff675569404086be7818edfcb9ca4927cc3de8d734
Opcode Fuzzy Hash: 16d491daa9d274e88fdf5d53b9d522d0f1901b05ad643f2a42bf5218a3ee6cbe
Instruction Fuzzy Hash: D241DFB0C0061DCFDB24CFA9C98478DBBF6BF49304F2484AAD409AB255DB756989CF90

Function 070B86CB Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394e92ed6b21157ea3b163aedc43bc1d99997a8e863b74aff06592bf10642f08
Instruction ID: f96dd28d8cbec891dc6ce951ae3ff0dc56dbcb8126c677e0df9e4389b226ee69
Opcode Fuzzy Hash: 394e92ed6b21157ea3b163aedc43bc1d99997a8e863b74aff06592bf10642f08
Instruction Fuzzy Hash: 8231B2718093D49FC712EF68C8646DABFF4EF07214F0584DBD4949B2A2C2749988CBA9

Function 04E64050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E64111

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 177938b13318d050aedd97265e0e4fd719794ebec909d3482826f87ccc8956b6
Instruction ID: 1d07082f9d9efee8ec54b1971ae511ed780b62ff7d11e65ae9fea1fed6b6f6d0
Opcode Fuzzy Hash: 177938b13318d050aedd97265e0e4fd719794ebec909d3482826f87ccc8956b6
Instruction Fuzzy Hash: BC4148B8A00319DFDB14CF99C848AAABBF5FF88314F24C559D419AB361D374A841CFA5

Function 070BBBC7 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070BBC58

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b05e07edef4a492c3c9f6808cb64df2a81ae25b529546e9266e95152b68ad94a
Instruction ID: 58915636deae2365dbedf0d3013823e9d529424cf4076f66c2366c8caef5c834
Opcode Fuzzy Hash: b05e07edef4a492c3c9f6808cb64df2a81ae25b529546e9266e95152b68ad94a
Instruction Fuzzy Hash: 41212AB19003599FCB10DFA9C985BDEBBF5FF48310F10842AE559A7250C7789544CFA4

Function 070BBBC8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070BBC58

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c816d0d387975c213817d1c6e5fe62ea1bdfe7dcabb574212020f34d5fd2f3a4
Instruction ID: 97982750c0a71c7ca0eb0017bb3d10cee42afaa008a570fbe3c8c62d82172d24
Opcode Fuzzy Hash: c816d0d387975c213817d1c6e5fe62ea1bdfe7dcabb574212020f34d5fd2f3a4
Instruction Fuzzy Hash: 192127B19003599FCB10DFA9C985BDEBBF5FF48310F10882AE959A7250C778A944CFA4

Function 070BBCB1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070BBD38

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f260672bd4047ffe7786679808c6248a4bf166c24cd7fd447041a019b6a9322c
Instruction ID: 25c26c3daf172d332311a9814b9cd17c235ef493fe1d349ada48c2b1544d81f8
Opcode Fuzzy Hash: f260672bd4047ffe7786679808c6248a4bf166c24cd7fd447041a019b6a9322c
Instruction Fuzzy Hash: 3C2155B18003499FCB10CFAAC881AEEBBF5FF48320F10882EE558A7251C7389544CBA4

Function 070BB5F3 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070BB676

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 633038ba94b706b3fcb8f7b5ce667f5dd40b4b1e2428d93de93ba8350fdb3a71
Instruction ID: dbbe5c03bdf47036040d8b2f6c38600b267ab3419d74b78381608c49e3a5dd2c
Opcode Fuzzy Hash: 633038ba94b706b3fcb8f7b5ce667f5dd40b4b1e2428d93de93ba8350fdb3a71
Instruction Fuzzy Hash: 9C2139B19003099FDB10DFAAC4857EEBBF4AF48324F14842AD459A7241DB78A984CFA4

Function 0270B770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0270D626,?,?,?,?,?), ref: 0270D6E7

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c99f97af47943ea119e948c1940dceb20c23d533f08b38ee30059b7f5315e6c2
Instruction ID: 2093d69362af482b4cd290c200241e8eb06b23efc616b32423c7a706719d00f4
Opcode Fuzzy Hash: c99f97af47943ea119e948c1940dceb20c23d533f08b38ee30059b7f5315e6c2
Instruction Fuzzy Hash: 6021E3B5900348EFDB10CFDAD584ADEBBF8EB48314F14842AE918A7350D378A944CFA5

Function 070BB5F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070BB676

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 092fbc3fb436be5b737698a9a8c297788804a6617313d6e63ec143e2a5118286
Instruction ID: 68e6b4f4bec79775802d0eba8ae3a34b7be58ef1adb9c806fac0b7198df7810c
Opcode Fuzzy Hash: 092fbc3fb436be5b737698a9a8c297788804a6617313d6e63ec143e2a5118286
Instruction Fuzzy Hash: 2E2129B1D003099FDB10DFAAC4857EEBBF4EF48324F14842AD459A7251DB78A944CFA4

Function 070BBCB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070BBD38

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3f9f902880fbfc038c588b2b071636e745fdbbcea60b46bac0aaa17872d5d3da
Instruction ID: d201ec76b76f9d2c2935d1735bda4eab6d03108463f3d0a164ee2bb7e66e4817
Opcode Fuzzy Hash: 3f9f902880fbfc038c588b2b071636e745fdbbcea60b46bac0aaa17872d5d3da
Instruction Fuzzy Hash: 252139B19003599FCB10DFAAC841ADEFBF5FF48320F50882AE558A7250D7389544CFA4

Function 0270D658 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0270D626,?,?,?,?,?), ref: 0270D6E7

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e911f8038691c111dc3e792e11e0690c87e1440f77ad9f8f7606b49de3b2afd4
Instruction ID: 2f6555329f435f356a91817b0894e2beed5354f6af60a04444cc0e9d5013ce64
Opcode Fuzzy Hash: e911f8038691c111dc3e792e11e0690c87e1440f77ad9f8f7606b49de3b2afd4
Instruction Fuzzy Hash: 4221E2B5900209DFDB10CFAAD584ADEBBF5FB48310F14841AE958A7250C778A944CFA4

Function 070BBB00 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070BBB76

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 00f562d7205702fee165218114ede2c4d7ab3537ccab2f43cfd8d04d51612595
Instruction ID: be2e4f29eb941b45c685473c5e1639dbc44a70c62887fa884f6ceaa81a57df67
Opcode Fuzzy Hash: 00f562d7205702fee165218114ede2c4d7ab3537ccab2f43cfd8d04d51612595
Instruction Fuzzy Hash: 61214AB1800249DFCB10DFAAC845ADEBFF5EF48320F14881AD555A7250C775A954CFA5

Function 070BBB08 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070BBB76

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cef919b5093ae9c54b5df432359575da238afb6e23f4bd30db200a818f391e0c
Instruction ID: 505f02a2d1ef57676d4ce756086864e63439075b9e0d633e5a8d1432264b7a90
Opcode Fuzzy Hash: cef919b5093ae9c54b5df432359575da238afb6e23f4bd30db200a818f391e0c
Instruction Fuzzy Hash: DD1137B1900249DFCB20DFAAC844BDEBFF5EF88320F10881AE555A7250C775A944CFA4

Function 070BB543 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070BB5AA

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7c18db06cf8526e300410fe1e0cf38477ba0103bb6666e692502824489a87b4c
Instruction ID: 74ef220a9b76d720302b69728273c0c5878ad5a11f2b1d875a65550ce666034f
Opcode Fuzzy Hash: 7c18db06cf8526e300410fe1e0cf38477ba0103bb6666e692502824489a87b4c
Instruction Fuzzy Hash: 781116B19003498FCB20DFAAD4457DEFFF5AF88324F24881AD459A7250CA75A944CFA5

Function 070BE0D0 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070BE135

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e66cee2df22c6a492b508e10968f074a634749fc087fc9598658cb04c1b51e42
Instruction ID: 8623fa39ff1892ec8f22e1c859ad7b11fa7fa18982e8a28e23e34daa89920590
Opcode Fuzzy Hash: e66cee2df22c6a492b508e10968f074a634749fc087fc9598658cb04c1b51e42
Instruction Fuzzy Hash: 8E1128B58003499FCB20CF99D844BDEBFF8EB48324F20885AD454A7340C374A584CFA5

Function 070BB548 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070BB5AA

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 547f620ba425d94616308738bc8c2b6f5f185c0a3b2205e8bd584bd68a90d5ad
Instruction ID: a83f51e11dba54044cdb70048c601566ef0f2eba70a85f3cdded7f5e438e5025
Opcode Fuzzy Hash: 547f620ba425d94616308738bc8c2b6f5f185c0a3b2205e8bd584bd68a90d5ad
Instruction Fuzzy Hash: B4113AB19003498FCB20DFAAC4457DEFBF5EF88324F24881AD459A7250C775A944CFA5

Function 0270AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0270AFDE

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9abd3769fa81cd7b288131bccda99db05e0101614e78c9ba2858f1a31f4ca315
Instruction ID: 2df94f002f10f60d0bf5c55b9b4ad78e56ac0a4ce719cca2fe77b9b1f9435875
Opcode Fuzzy Hash: 9abd3769fa81cd7b288131bccda99db05e0101614e78c9ba2858f1a31f4ca315
Instruction Fuzzy Hash: 381110B6C00349CFCB10CF9AC444ADEFBF4AF89328F10842AD528A7250C379A545CFA1

Function 070B8748 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070BE135

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a9d80b211e3daa5fe6b21203b2d1e4017981bc17ef5e35ad386712bb09c1fffe
Instruction ID: 11f552209ad9667a40b1707cd37ffe428866c6a9cf9d5a5053725926275d56a7
Opcode Fuzzy Hash: a9d80b211e3daa5fe6b21203b2d1e4017981bc17ef5e35ad386712bb09c1fffe
Instruction Fuzzy Hash: 361106B5800349DFDB20DF99C844BDEBBF8EB48324F10885AE554A7300C375A944CFA5

Function 070BBBC0 Relevance: 1.5, APIs: 1, Instructions: 38injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070BBC58

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 436f6764f846eef8daeef395dbff6aeaf458dfea133d9f1102cbe8db821c57b9
Instruction ID: f078fe5491cfb5aac0c2c7309dcbab751a6d9fc40b9a1d5cd20b4a7044c3136b
Opcode Fuzzy Hash: 436f6764f846eef8daeef395dbff6aeaf458dfea133d9f1102cbe8db821c57b9
Instruction Fuzzy Hash: A701F4B280020ADFDF20CF94C8057DDBBF1EF48324F14C41AE19867261C7398555DB61

Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671023120.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
Instruction ID: dfa744bac518c51a94471ae764ab8a72ca66bd338f8d59a25f4fce35f2715e06
Opcode Fuzzy Hash: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
Instruction Fuzzy Hash: 80214571100200DFDB00DF04C9C0B2ABF66FB98324F24C169E80A0B65AC37AE846CAB2

Function 0105D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671131893.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844c735db084b8b7e62bcabb772f696a07063cb2202562c69d842a671256abed
Instruction ID: 68e05a345c28d8bcf5e281b39b8a3dc031bd855c98caddf20230aa671171fdc8
Opcode Fuzzy Hash: 844c735db084b8b7e62bcabb772f696a07063cb2202562c69d842a671256abed
Instruction Fuzzy Hash: D6213471504200EFDB81DF98D9C0B2BBBA5FB94324F20C6AEEC894B252C336D446CB61

Function 0105D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671131893.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a253ad26b44cf04f5ea47fb98a68a24204966879f1f9fb2781ad7faee9435e
Instruction ID: 8c04f19d076f58ef106d9efb24c70375464668edd2e144c1d7c8feb3e2233ae4
Opcode Fuzzy Hash: 16a253ad26b44cf04f5ea47fb98a68a24204966879f1f9fb2781ad7faee9435e
Instruction Fuzzy Hash: DE210071604200DFDB95DF58D984B2BBBA5EB84314F20C5AAED8A4B256C33AD847CB61

Function 0105D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671131893.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3cbdcba60c27e29c98f794b2a49199b08ca02c7216d7a8e687ca775ccc7429
Instruction ID: 3dd2fc00ec4de7b6cd34a6757d078d3ce065e94e8bba96700dad45e1ecea6640
Opcode Fuzzy Hash: 5e3cbdcba60c27e29c98f794b2a49199b08ca02c7216d7a8e687ca775ccc7429
Instruction Fuzzy Hash: 7F21A4755093808FDB53CF64D994716BFB1EB45214F28C5DBD8898B2A7C33AD40ACB62

Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671023120.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 44dcdaa7fbeafbd55e6a9e55978eedcfe11dd050ec64594c3ab5a880387003e5
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E5112676404240CFDB02CF00D5C4B16BF72FB98324F28C6A9DC0A0B656C33AE85ACBA1

Function 0105D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671131893.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 81707d4bf60ff7c1f66d27e3e425c78f0418eee26a835f846a5e122523395514
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 6011BB75504280DFDB42CF54C5C4B16BFA1FB84224F24C6AEDC894B296C33AD44ACB61

Function 00DAD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671023120.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dc45cf9163b69dd3e15aa0087b4028cc77d3a3eca0487a1de3b199bb39db6f
Instruction ID: 42844e050e4bff44dc184b503e56667a8444071010a921442651846360ece70f
Opcode Fuzzy Hash: 45dc45cf9163b69dd3e15aa0087b4028cc77d3a3eca0487a1de3b199bb39db6f
Instruction Fuzzy Hash: 9F01DB710093409AE7144A25CD84767FFE9EF52325F1CC92AED4B4A696C379DC40CA71

Function 00DAD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671023120.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040c744f32c30d403041b24b06c9113471f2a1c52f0220e376310b8fd36d21eb
Instruction ID: 32f55488d0221581c5093198f4b6eadeae31675e712b6bd19696e65e5c8e5e97
Opcode Fuzzy Hash: 040c744f32c30d403041b24b06c9113471f2a1c52f0220e376310b8fd36d21eb
Instruction Fuzzy Hash: 51F09071409344AEE7248A1ADCC4B62FFA8EF51735F18C45AED0A5F686C379AC44CAB1

Non-executed Functions

Function 04E60040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c116a928ecfc6b79f9891824b385edfa153f00ee28004f5e591171fc49b8a8c
Instruction ID: 18074ac841a8f46cc8c0e44b4a0fb3709609c12870e21a603c5cf170205667cc
Opcode Fuzzy Hash: 2c116a928ecfc6b79f9891824b385edfa153f00ee28004f5e591171fc49b8a8c
Instruction Fuzzy Hash: 9F1276B0C827468AE710CF66E98C2893BB1FB45318FD0CA19DA616F2E5D7B4156ECF44

Function 070BB6D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340185689bde6e6bb9477b4943cdb5fa04524aeaeb1d23bba853e2a16262e077
Instruction ID: 5fc2664d6d7d000bba7f5bfcfad87c95bc533a0a2947a05e5466484fdd788c3f
Opcode Fuzzy Hash: 340185689bde6e6bb9477b4943cdb5fa04524aeaeb1d23bba853e2a16262e077
Instruction Fuzzy Hash: 36E1C8B5E005198FDB14DFA9C5809AEFBF2BF89304F248269E415AB35AD731A941CF60

Function 070B95F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be40e1c555ec87250be644bf3fb3acce031b1c0cedb90193aa05f8ade415cd9
Instruction ID: 98e218c6fda6fbfcdb7c551f359cd6136d20dc41c517c8002422624249df7bf9
Opcode Fuzzy Hash: 9be40e1c555ec87250be644bf3fb3acce031b1c0cedb90193aa05f8ade415cd9
Instruction Fuzzy Hash: 84E1EAB4E10519CFDB14DFA9C5809AEFBF2BF89304F248169E514AB359D731A941CFA0

Function 070B91C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42892582071a7fc69fde6ac6461444363d3766b7ae9230cef9c8faf7edc2ba0b
Instruction ID: 8ae9f0376d2e7ce605756b7b59fde2c8be643973a488b17dce901e59a8e54682
Opcode Fuzzy Hash: 42892582071a7fc69fde6ac6461444363d3766b7ae9230cef9c8faf7edc2ba0b
Instruction Fuzzy Hash: 41E1F8B4E10519CFDB14DFA9C5809AEFBF2BF89304F248269E514AB35AD730A941CF60

Function 070BACD0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62db53bd54b075dd11231e70d617c0c3cb91a1e9c31b697fe5c69bd092b07bef
Instruction ID: b8af101bb257f810b99a910318f79a7ac0c1f5c86cf17659eb42b29c683bcf1a
Opcode Fuzzy Hash: 62db53bd54b075dd11231e70d617c0c3cb91a1e9c31b697fe5c69bd092b07bef
Instruction Fuzzy Hash: 5BE1E9B5E005198FDB14DFA9C5809AEFBF2BF89304F24C269E415AB35AD731A941CF60

Function 070B9A30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e46509b6e2bab3ac46b5091088f4a13e13a557c2a4c496d41f3274fef4324
Instruction ID: e57cea2a13d27b847334af509814b1ddd14e7650db669ae2dfb1c2383faf0529
Opcode Fuzzy Hash: a68e46509b6e2bab3ac46b5091088f4a13e13a557c2a4c496d41f3274fef4324
Instruction Fuzzy Hash: 80E1E7B5E10519CFDB14DFA9C5809AEFBF2BF89304F248269E514AB35AD730A941CF60

Function 070B0559 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4596bb517d6df16ce51de292dfab65ad6a48c9ce09326fe2b5944820ae18575
Instruction ID: 5072aa1c4a6950b93046d963e5fde5b540efc55ba8450f4f654b15a125694336
Opcode Fuzzy Hash: a4596bb517d6df16ce51de292dfab65ad6a48c9ce09326fe2b5944820ae18575
Instruction Fuzzy Hash: C3D1F735910B5A8ACB11EF64D950A9DF772FF95300F20C79AE50A77224EB70AAC5CF90

Function 0270D344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671413505.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a12dcdbd3ed731fd2e6aad14b3ae3aacc9175b27fd018f01f90dcf5d233d6a4
Instruction ID: ff880e535dfe0e7ff0b88d3dfce73caa7b70a13649ac355ef59ffe639d687ae7
Opcode Fuzzy Hash: 0a12dcdbd3ed731fd2e6aad14b3ae3aacc9175b27fd018f01f90dcf5d233d6a4
Instruction Fuzzy Hash: 11A15C32E00205CFCF25DFA4C88499EB7F2FF84304B15856AE901AB2A5DF71E95ACB41

Function 070B0560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31def9d8f9d079ff09b928b4179cc08e3233c99607ce1c2d6ccb269e3d56d03
Instruction ID: b1419f9a67d58f77d72446b383add952b1de6c5dfebc8ab643d12fd0aabbb533
Opcode Fuzzy Hash: e31def9d8f9d079ff09b928b4179cc08e3233c99607ce1c2d6ccb269e3d56d03
Instruction Fuzzy Hash: 3CD1E635910B5A8ACB11EF64D950A9DF772FF95300F20C79AE50A77224EB70AAC5CF90

Function 04E60006 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674247164.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5210f020a84bd0a44b04f532e59ea8e14999d6b5cbb66df0a4366ccc55ac5530
Instruction ID: 3fd5b17b3e26071ef5fae6673a864ce6407ac36aec391e00500cb717d6fe7dcf
Opcode Fuzzy Hash: 5210f020a84bd0a44b04f532e59ea8e14999d6b5cbb66df0a4366ccc55ac5530
Instruction Fuzzy Hash: B5D12BB0C817468FE710CF26E98C2893BB1FB85314F958A19D9616F2E5DBB414AECF44

Function 070B9A21 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675709484.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70b0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d1abf60bcd796a78faf4eb3e2621acf1a222e1aed75c51f61f1db096cdb032
Instruction ID: 03b6fa8cee11a6fec7f48bd3c93b1da1bdd948a67ff53b406ca617ef2b3010fe
Opcode Fuzzy Hash: b0d1abf60bcd796a78faf4eb3e2621acf1a222e1aed75c51f61f1db096cdb032
Instruction Fuzzy Hash: B2511DB1E10619CBDB14CFA9D5405AEFBF2BF89304F24C16AD518A7316D730AA41CFA0

Analysis Process: RICHIESTA D'OFFERTA.exePID: 4228, Parent PID: 2124COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.2%
Total number of Nodes:	249
Total number of Limit Nodes:	24

Executed Functions

Function 06B63138 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B63884
$kq, xrefs: 06B63843
$kq, xrefs: 06B63860
$kq, xrefs: 06B63890
$kq, xrefs: 06B63837
$kq, xrefs: 06B6386C

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: f482fad508883d4f5eb870835618b9cbfb938fe6000c5dc3a4b052b7a70670c5
Instruction ID: 02c93ca19e672525ccffee4d14332e7d11b406a0631c2a041c00d6ec428825da
Opcode Fuzzy Hash: f482fad508883d4f5eb870835618b9cbfb938fe6000c5dc3a4b052b7a70670c5
Instruction Fuzzy Hash: 55322E31E10619CFCB14EF75D99459DB7B2FF89300F20D6AAD409AB264EB34A985CF90

Function 06B67A10 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B67D7F
$kq, xrefs: 06B67D73

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: a79106fc7d4e882863faee18c0f7b4c7cf1d425d43e8e362a60290b240acc0c8
Instruction ID: f214d00207653d9cbf58bedc3487cd1fdd4f9251264d730d705ed25380e25ace
Opcode Fuzzy Hash: a79106fc7d4e882863faee18c0f7b4c7cf1d425d43e8e362a60290b240acc0c8
Instruction Fuzzy Hash: 5D029E71B002058FDB54EB6AD590AAEB7E2FF84304F148579E4069B395DF39EC86CB90

Function 051E77E0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 051E7EFF

Memory Dump Source

Source File: 00000002.00000002.4129880823.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51e0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 12fa39a66ea21ca9fec8b82d4ea4393160b93aa224674a7340767a3b0f5b7e67
Instruction ID: 4bf5c595bc16991975cd6cd8a87625f33b27d5ddc277bfd82fbcb915cbb0f19a
Opcode Fuzzy Hash: 12fa39a66ea21ca9fec8b82d4ea4393160b93aa224674a7340767a3b0f5b7e67
Instruction Fuzzy Hash: 232125B18006598FDB10CF9AD484BEEBBF4EF49320F14846AE855A7291D778A944CFA1

Function 06B66288 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7725f027316871a862074a6a55f3434b746100c5d06cce43f1bae03014f6ed3f
Instruction ID: dd39c47569806c7eefdfb5c548ad1132c30ddbc36ea73eac91cdb14e01dac6f7
Opcode Fuzzy Hash: 7725f027316871a862074a6a55f3434b746100c5d06cce43f1bae03014f6ed3f
Instruction Fuzzy Hash: B362AF74B002048FDB64DB69D584AADB7F2FF88314F1484A9E80ADB355EB39EC45CB81

Function 06B6C230 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58da7eb254affca0dd1e4a65ea7ea56f75fd5e8ae780dc46de12f64c1093aaaf
Instruction ID: 609dadb92b419bc1cb8804e4cceb9ed93d2e63efe9f63709762a87769eaf2a4a
Opcode Fuzzy Hash: 58da7eb254affca0dd1e4a65ea7ea56f75fd5e8ae780dc46de12f64c1093aaaf
Instruction Fuzzy Hash: C832A271B002098FDF64DF69D990AAEBBB2FB88310F10856AE545EB355DB35EC41CB90

Function 06B65270 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449710725f6db47e9123d760563c4be3d4f14ea95319855ebcda9f2faf01d4d1
Instruction ID: 0b66ec6e7628ffa0e23dde8c7892e94a046b7cded0b0f0b2b500cf45281bc975
Opcode Fuzzy Hash: 449710725f6db47e9123d760563c4be3d4f14ea95319855ebcda9f2faf01d4d1
Instruction Fuzzy Hash: 8212F6B2F002158BDF70DB65D98076EB7B2EF84310F2484B9E9069B395DA78EC51CB90

Function 06B6AEC0 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddea0f236be0b652a30f0a9123dc30e9d64880e8a2ba644048ac1bacf2b7c6c
Instruction ID: 51014baa45bf8e6818edd6f20b4a16f6fdc7b2945ed54b2363fc8c92041830c7
Opcode Fuzzy Hash: dddea0f236be0b652a30f0a9123dc30e9d64880e8a2ba644048ac1bacf2b7c6c
Instruction Fuzzy Hash: CF22B0B0E102098FDF64DB6AD5807ADB7F6FB45310F2098A6F409EB395CA39DC918B51

Function 06B6A968 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B6AB17
$kq, xrefs: 06B6AADC
$kq, xrefs: 06B6AA95
$kq, xrefs: 06B6AB40
$kq, xrefs: 06B6AAE8
$kq, xrefs: 06B6AA89
$kq, xrefs: 06B6AB34
$kq, xrefs: 06B6AB0B

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 07b2a958161fe94e6e8fb826a317a81e9718f90e5f1e8852a5d90225e2506da9
Instruction ID: 4a8f36c038d29413852a0f515f8aaa2ba9a71bba3c00bff071b8f99d7454953a
Opcode Fuzzy Hash: 07b2a958161fe94e6e8fb826a317a81e9718f90e5f1e8852a5d90225e2506da9
Instruction Fuzzy Hash: 5BE19E70F102098FDF65DBAAD58066EB7F2EB85300F24856AE405AB355DB39E885CB90

Function 06B5A6E9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B5A776
GetCurrentThread.KERNEL32 ref: 06B5A7B3
GetCurrentProcess.KERNEL32 ref: 06B5A7F0
GetCurrentThreadId.KERNEL32 ref: 06B5A849

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 07b25d85381e71d93a777e2c6d57b68fc0ea6b7f285de6ebd10c75d76ec45888
Instruction ID: 212500fe9e038d770e9297db99fc40a1142e65348a17b737fe2a27845e323438
Opcode Fuzzy Hash: 07b25d85381e71d93a777e2c6d57b68fc0ea6b7f285de6ebd10c75d76ec45888
Instruction Fuzzy Hash: E05146B19002498FDB54DFA9D948BDEBBF1FB48314F2080A9D409A73A0DB349985CF65

Function 06B5A6F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06B5A776
GetCurrentThread.KERNEL32 ref: 06B5A7B3
GetCurrentProcess.KERNEL32 ref: 06B5A7F0
GetCurrentThreadId.KERNEL32 ref: 06B5A849

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8a75caf604bcf184301324a5ca5f2b93ec6b17fb5eaf8622751327247705ac50
Instruction ID: b1534ed6d4498722082afdf28bf32acb3f8d47bdbdab8681ee528dd346e8ee21
Opcode Fuzzy Hash: 8a75caf604bcf184301324a5ca5f2b93ec6b17fb5eaf8622751327247705ac50
Instruction Fuzzy Hash: FF5134B09002498FDB54DFA9D548BDEBBF1FB48314F208159D409A72A0DB34A985CF65

Function 06B68DE8 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B68E93
$kq, xrefs: 06B68E9F
$kq, xrefs: 06B68E58
$kq, xrefs: 06B68E64

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 7ec4e671b1b5c0f0d5fe4f8707932c2b82d0a63c2334c86a1ed9ad403ced0631
Instruction ID: 5f56900d4096303b7cb323917bd602183f7bdee0f36f7a8d437d0ca9069a27b5
Opcode Fuzzy Hash: 7ec4e671b1b5c0f0d5fe4f8707932c2b82d0a63c2334c86a1ed9ad403ced0631
Instruction Fuzzy Hash: E4916370B1021A8FDB64EF65D9907AEB3F6EF84240F1085A5D8099B358EB35ED518B90

Function 06B6CFF8 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B6D3EF
$kq, xrefs: 06B6D3F7
$kq, xrefs: 06B6D403

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: b1dd1806234750952f63133173606fd6a510c7c57694eedd75c2b3d4bcaa111a
Instruction ID: 9ea08e14c483b48513e5e82181ad38da7661b4fa4839e3675c6d2855033ccf96
Opcode Fuzzy Hash: b1dd1806234750952f63133173606fd6a510c7c57694eedd75c2b3d4bcaa111a
Instruction Fuzzy Hash: 58620E71B0020A8FCB65EF69D590A5EB7F2FF84304B208669D4059F369DB75ED86CB80

Function 06B64840 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Opq, xrefs: 06B64A1B
fpq, xrefs: 06B6486B
XPpq, xrefs: 06B64991

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 55b1aab7a9702deef88fa75672d348c81cb84b06f06513569a036a9a3f4b49f8
Instruction ID: eff8203f233ccfd46a77436152d8d673ef545b524ff23aa93a21dce852264965
Opcode Fuzzy Hash: 55b1aab7a9702deef88fa75672d348c81cb84b06f06513569a036a9a3f4b49f8
Instruction Fuzzy Hash: B6617070F002199FEB549BA5C8547AEBBF6FF88700F208569E106EB398DB749C458F94

Function 06B6CAC0 Relevance: 2.9, Strings: 2, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oNp, xrefs: 06B6CC14
DqNp, xrefs: 06B6CC20

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: 0oNp$DqNp
API String ID: 0-2501784304
Opcode ID: 02d052d6e9c53d95405457af35cd2a5110623ae111b99aa690d386fc12f7d0fb
Instruction ID: bb8f283a723be47424488fb9a099fa447309b829bf5db8cc3c93ac9215b45e6f
Opcode Fuzzy Hash: 02d052d6e9c53d95405457af35cd2a5110623ae111b99aa690d386fc12f7d0fb
Instruction Fuzzy Hash: 85E19171B001058FDB54EB79D590AAEBBF2EF89310F1085A9E40ADB365DB35EC45CB90

Function 06B68DD9 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B68E93
$kq, xrefs: 06B68E58

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 898e3ab6bda4068182143655da5aedad6317dabf1330515518ca73de7f551cfb
Instruction ID: 2351f60fa76d8ed86ef4634a66a7bf924e9527eaf259262f890f02c3dd5a95d5
Opcode Fuzzy Hash: 898e3ab6bda4068182143655da5aedad6317dabf1330515518ca73de7f551cfb
Instruction Fuzzy Hash: 98518270B101068FDB54EB79D990BAE73F6EF84640F109469D80ADB398EB35ED518B90

Function 06B64831 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06B6486B
XPpq, xrefs: 06B64991

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: fpq$XPpq
API String ID: 0-1280283
Opcode ID: c315d36eba710516c116bc3117d1d3939135e9d0b613eea60f44a5aafea1e36e
Instruction ID: 3645ba0bc36a9c95b622b42f5ee9ac1a154ac5db28dab494f0c41ef671dacc76
Opcode Fuzzy Hash: c315d36eba710516c116bc3117d1d3939135e9d0b613eea60f44a5aafea1e36e
Instruction Fuzzy Hash: 26518171F006199FDB549FA5C854BAEBAF6FF88700F20C529E106AB398DA749C41CB90

Function 051EF2A0 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4129880823.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51e0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1674ff185fb67fefd07bf34d2155d2de6eed8439e4f1c32832e9df9736268641
Instruction ID: 5eeb6307dbcce44522fef3accc9fb46340b1df6d82ee8c54e8fdba7b45c2ee40
Opcode Fuzzy Hash: 1674ff185fb67fefd07bf34d2155d2de6eed8439e4f1c32832e9df9736268641
Instruction Fuzzy Hash: 32410072D047998FCB14DF79D8046EABBF1EF89310F1586AAD844E7291DB349842CBE1

Function 06B56CA2 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B56E0A

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 80cd2d0fa7d85a9afab232585539ffc2231b6ea64fa42a65de536eb6933ec9ac
Instruction ID: ccdd313b1b5362215d3373127ff4fedeb27c686e1ac63d905ad442389891b97d
Opcode Fuzzy Hash: 80cd2d0fa7d85a9afab232585539ffc2231b6ea64fa42a65de536eb6933ec9ac
Instruction Fuzzy Hash: FE51E2B5C10209AFDF15CF99C984ADDBFB1FF48310F15816AE818AB220D7719855CF90

Function 06B55A9C Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B56E0A

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f82a42962ad36df71fd5f39c3641b00c68eb615295564411b30ff64e8e81a65c
Instruction ID: c786a5991ffd268ea1a9223cfba8a477da740a417583aed0e0ee516e9c0c4914
Opcode Fuzzy Hash: f82a42962ad36df71fd5f39c3641b00c68eb615295564411b30ff64e8e81a65c
Instruction Fuzzy Hash: CD51DFB1D103099FDB14CF99C984ADEFBB5FF48310F64816AE818AB260E7709885CF90

Function 06B5A4F4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06B5B891

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 36919080cc38f901f4f8389b924d3002c01ce71673c8642705918adfb4e9d0df
Instruction ID: 7f5a42785a5f884406e8b53f3db8e38e04099df23001c7af3e6b0b19dbd74e70
Opcode Fuzzy Hash: 36919080cc38f901f4f8389b924d3002c01ce71673c8642705918adfb4e9d0df
Instruction Fuzzy Hash: 6A4137B59003098FDB54CF59C488BAABBF5FF88314F25C499E919AB361D770A841CFA1

Function 06B5C50C Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06B5C5A0

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a2d678aab47b135d253675373a5848b965d0f1b5491efac4a4bab9a8cad88edd
Instruction ID: 447bb90b65e795ff5e7aac73baa168994f5182cb8bd782d2f711c4720fd45c44
Opcode Fuzzy Hash: a2d678aab47b135d253675373a5848b965d0f1b5491efac4a4bab9a8cad88edd
Instruction Fuzzy Hash: 66310FB0901308DFDB10CFA8C984BDDBBB2AB48304F209459E909BB294D7749985CF91

Function 06B5C518 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06B5C5A0

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c95928cc7166a538b0f43e8aa2a627ba1488facb4fcccbe21a375dd278775683
Instruction ID: 252fd0775e2dc3da98ff01817ccbedad48ff154fff1383563b81688997f1fafd
Opcode Fuzzy Hash: c95928cc7166a538b0f43e8aa2a627ba1488facb4fcccbe21a375dd278775683
Instruction Fuzzy Hash: ED310FB0D01348DFDB10CF99C985BDDBBF5AB48304F209059E909BB294DBB5A985CFA1

Function 051E7E81 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 051E7EFF

Memory Dump Source

Source File: 00000002.00000002.4129880823.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51e0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: cd3433a0dac571541d7ef23a047d403f43ec88e6f6eed7532fedd8216adcdab2
Instruction ID: 124030bc3ef3d0fd45fc86c56d316dcb9f2e3c617d9a590e3caffee58d5fe07d
Opcode Fuzzy Hash: cd3433a0dac571541d7ef23a047d403f43ec88e6f6eed7532fedd8216adcdab2
Instruction Fuzzy Hash: 9E2148B18012598FCB10CF9AD484BEEFBF4EF49320F14842AE455A3391D738A944CF65

Function 06B5A2A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06B5A906,?,?,?,?,?), ref: 06B5A9C7

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d2ed3fcf814a97c55bbfe674cf859e7e803cd92d6f11a49a588437fc16e08477
Instruction ID: 22918a89dc3ff13ee44e0ecd7549d2198b5e177ef6ad2b1c661d4cad60967d9f
Opcode Fuzzy Hash: d2ed3fcf814a97c55bbfe674cf859e7e803cd92d6f11a49a588437fc16e08477
Instruction Fuzzy Hash: E22105B5900218DFDB10CF9AD584ADEBBF8EB48320F10805AE914B3351D375A940CFA5

Function 06B5A938 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06B5A906,?,?,?,?,?), ref: 06B5A9C7

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1d4c1cfd039a9ff7e08fbf2f786b0b749c791945e20c3c3ca23793c7d7beb63e
Instruction ID: f0d3b9900fb7bb1da512938b238026bc06e991afa6919f73b39aa3ccbe39f583
Opcode Fuzzy Hash: 1d4c1cfd039a9ff7e08fbf2f786b0b749c791945e20c3c3ca23793c7d7beb63e
Instruction Fuzzy Hash: C22103B59002589FDB10CFAAD984ADEBFF8EB48310F14806AE954A7350C374A940CFA0

Function 06B5DF01 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06B5DF83

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 277c32290a729f5c0b09e9bb098f36e348f99aca6e762c430fe1ecdbc088ebfb
Instruction ID: 578d4a13a0ea26a7200457d8f77c9dcd9d142d8197cc8830c3ad59013ebe2c12
Opcode Fuzzy Hash: 277c32290a729f5c0b09e9bb098f36e348f99aca6e762c430fe1ecdbc088ebfb
Instruction Fuzzy Hash: 292115B5D002199FCB54CF99C944BDEFBF5EF88320F10842AE459A7250CB74A940CFA5

Function 06B5DF08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06B5DF83

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e4f7c383353f7878b363166ec2096b0f7318fca5d576e4112d31f2521c890bdb
Instruction ID: fcef3efe90640c91912db9157a8f6ff52494f8244a34e71fe260fa0141947278
Opcode Fuzzy Hash: e4f7c383353f7878b363166ec2096b0f7318fca5d576e4112d31f2521c890bdb
Instruction Fuzzy Hash: 472113B5D002098FCB54CF9AC844BEEFBF5EF88320F10842AE458A7250CB74A940CFA5

Function 051EF388 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 051EF3EF

Memory Dump Source

Source File: 00000002.00000002.4129880823.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51e0000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1e78062cb363cdeb432560bd2ae8fe8149e6810c91492fa2f39e462d73e40124
Instruction ID: 09b990ab22bcc7a334a05a5aee8ecdd4347eb1aeac511513470e571482b3e08a
Opcode Fuzzy Hash: 1e78062cb363cdeb432560bd2ae8fe8149e6810c91492fa2f39e462d73e40124
Instruction Fuzzy Hash: 631112B1C006699BCB10DF9AC544BDEFBF4EB48320F10812AD818A7240D778A941CFA5

Function 06B54214 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06B558B6

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a9e175b874f4d99df35cbaa2deb31ebcafcf234ef5f770b0bd685f9ccdc0424a
Instruction ID: e40f96e9679909aa60628b5d53a535fd6834655cc3690f36bd50e8bf0c8b49fb
Opcode Fuzzy Hash: a9e175b874f4d99df35cbaa2deb31ebcafcf234ef5f770b0bd685f9ccdc0424a
Instruction Fuzzy Hash: 161120B6C002498FDB20CF9AC444BDEFBF4EB88220F11846AD828B7200D374A545CFA1

Function 06B55848 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06B558B6

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8923a5309228da8030ab7527cb725ab49336616132b1761cb39bf0c80845078d
Instruction ID: 8b4ddb7ba5a9e33ae60f405448dab17e82ec25114c63baa50a067fe6a16fbb27
Opcode Fuzzy Hash: 8923a5309228da8030ab7527cb725ab49336616132b1761cb39bf0c80845078d
Instruction Fuzzy Hash: 161102B6C002498FCB20DF9AD444BDEFBF4EB88324F10846AD859B7250D379A545CFA2

Function 06B5A54C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06B5BADD), ref: 06B5BB67

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 024bc0853a3165cf4877d0c48c7ced1e067df1605a9e9aa24cadcbe20beb94fb
Instruction ID: a5a7c7a24b74e1dfeafebf3a6c0cac03068b2fcc6703548929f2323513e499f4
Opcode Fuzzy Hash: 024bc0853a3165cf4877d0c48c7ced1e067df1605a9e9aa24cadcbe20beb94fb
Instruction Fuzzy Hash: 951136B1800248CFCB10DF9AC484BDEFBF4EB48320F20846AD558A7250C774A944CFA5

Function 06B5BDEC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06B5C425

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 68a1d452257270d266211b2a45f032a5c31d15f88ced765de87ed207e59a6a65
Instruction ID: ed3e8cf5521691dedaa58514d3a885f29628ef0783b872281cab90cc945c369b
Opcode Fuzzy Hash: 68a1d452257270d266211b2a45f032a5c31d15f88ced765de87ed207e59a6a65
Instruction Fuzzy Hash: 411112B59003488FDB20DF9AD448BDEFFF4EB48324F208469D918A7250D379A944CFA5

Function 06B5C3C9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06B5C425

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1a26656e0078a053a49d2b113a5c489b89d502964afd61f60a016b56ba26fde3
Instruction ID: cb1ac387dddd3eb44b6eb035f5f1b41b9c29d68a21082324c825475201d13936
Opcode Fuzzy Hash: 1a26656e0078a053a49d2b113a5c489b89d502964afd61f60a016b56ba26fde3
Instruction Fuzzy Hash: DB1133B58003488FCB20CFAAD444BDEFFF8EB48320F108459D558A3210C374A540CFA5

Function 06B5BB00 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06B5BADD), ref: 06B5BB67

Memory Dump Source

Source File: 00000002.00000002.4131182649.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b50000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bd8cdbf9068192e752ec489c003ffd27a1f60afb05a9fbd9e58f1ae99a72edf5
Instruction ID: e3f2b3c716b446a3878b44b4ad13d9ec5366e88021b548de44921bac3a88f5ba
Opcode Fuzzy Hash: bd8cdbf9068192e752ec489c003ffd27a1f60afb05a9fbd9e58f1ae99a72edf5
Instruction Fuzzy Hash: E71115B5800258CFCB20DF9AD885BDEFBF4EB48324F20846AD559A7350C774A944CFA5

Function 06B6DB6D Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B6DCC9

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 13bb108ff84cc2fa9ad94723254344db63e8ddaefcd2ad86bc7b091a3b7fd6d8
Instruction ID: 97ac6a1ebf5103f2c6eb2f3c88f85cc82a73fe16eb8f3c99cab43aa19f334083
Opcode Fuzzy Hash: 13bb108ff84cc2fa9ad94723254344db63e8ddaefcd2ad86bc7b091a3b7fd6d8
Instruction Fuzzy Hash: 5641B3B0F102099FDB64DF66C54069EBBB6FF85300F208569E406E7354DB75D846CB81

Function 06B622A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B623E3

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 5bcfdaffc42b96b81c5e4a4158d7a985394b121e30a2d88c1c7722267b612b04
Instruction ID: 1bbf4ed6520dc7a7799fad71378c9d9a24f846e4f90e154808fb680c8c3f4b02
Opcode Fuzzy Hash: 5bcfdaffc42b96b81c5e4a4158d7a985394b121e30a2d88c1c7722267b612b04
Instruction Fuzzy Hash: 1F310270B002018FEF68AB35D65426F7AE7FB88200F209468E406DB398DF39DD41CB90

Function 06B6FEC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 06B6FF20

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f5a8ddfecbb2c8c4978e02427e348feaf7804d9ab5fae142d48c47de65175709
Instruction ID: 4d1d388c570f65a2e1c128fee082eec408d2778ebce585f867abd8eea7062eb1
Opcode Fuzzy Hash: f5a8ddfecbb2c8c4978e02427e348feaf7804d9ab5fae142d48c47de65175709
Instruction Fuzzy Hash: 7A11BE74B012159FCB50EB78D809BAE77F6AF48700F1084AEE50AE73A5DB399D00CB84

Function 06B6FED0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06B6FF20

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 6fdb14481e18200431c4543188dfbf5d48abc9974ca41d35c090831878fda59a
Instruction ID: 820395e1cbda147442d13de8468409006e6af4f0e145fc4cc46c3122c9b0bf6e
Opcode Fuzzy Hash: 6fdb14481e18200431c4543188dfbf5d48abc9974ca41d35c090831878fda59a
Instruction Fuzzy Hash: F5115B75B002249FDB54DB78D808B6E77F6AF48700F10846AE60AEB3A4DB399D00CB84

Function 06B62422 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0c1faab9136c4e8e8e01e77ba32a1d8b24434c98f796ca9327134c2ab91835
Instruction ID: bda703cf76631792f8f6fcf670dc5087f67115f42aac09f55466e7a0305ccc51
Opcode Fuzzy Hash: bb0c1faab9136c4e8e8e01e77ba32a1d8b24434c98f796ca9327134c2ab91835
Instruction Fuzzy Hash: D6924470E002048FEB64DF69C584B6DB7F2FB45314F5494A9E40AAB365DB39EE85CB80

Function 06B6DE00 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c46126be07752a2d94a277aacae00e0317abc02643de0a453fb00cc22bdb37
Instruction ID: f85c13b824b72c9e34141f28a08e91940783d28d93e6713046d7b4fb8fda5197
Opcode Fuzzy Hash: f8c46126be07752a2d94a277aacae00e0317abc02643de0a453fb00cc22bdb37
Instruction Fuzzy Hash: 0DF15E74F102098FDB54DBA9D5907ADB7B2EF88300F208569E405EB394DB75EC86CB91

Function 06B6B2F0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c347a699a1f143bcf38bc78c21ea39c13bec05cbf21dbed2e6eeb387eb9812
Instruction ID: b473f11baaf08928081173552c41175f6e62600e22243e06e26661a74447dd03
Opcode Fuzzy Hash: f3c347a699a1f143bcf38bc78c21ea39c13bec05cbf21dbed2e6eeb387eb9812
Instruction Fuzzy Hash: 87B19BB0E102098FDB60DF69D580AADB7F1EB45310F2499AAE519DB3A1DB38DC91CB41

Function 06B65E88 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c6f5655ae77216c54a61c22fd6805ca5fcb0c6977a8bfb7bb89615df2da578
Instruction ID: b7343adc3cfbfe674f1e362572cee36a817d2207a9269f805d81ab3aa605a06f
Opcode Fuzzy Hash: a7c6f5655ae77216c54a61c22fd6805ca5fcb0c6977a8bfb7bb89615df2da578
Instruction Fuzzy Hash: 1B61C1B2F001214FCF659A7EC88066EBADBEF94610B154479F80ADB379DE69DC0287C1

Function 06B63F72 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be457ec2598c32d0430f1afde9d41559610d6875820bdce2b3e69bdb367dc53
Instruction ID: 57faf108672618a5b88084139d0eaa87a84793b7f71e1958f05e6b77aa1cdc41
Opcode Fuzzy Hash: 3be457ec2598c32d0430f1afde9d41559610d6875820bdce2b3e69bdb367dc53
Instruction Fuzzy Hash: 11815D70B106098FDF54DFA9D5947AEB7F6EB88340F108569E40ADB398EB34DC428B41

Function 06B64294 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1d7dec13fafff62aec17866ed1c9249a690392b87d529191163143c790fb23
Instruction ID: 4ddd9899a448c88b28a616a5aaa09f400245a29e7a382d6e022fb2e294119307
Opcode Fuzzy Hash: 5f1d7dec13fafff62aec17866ed1c9249a690392b87d529191163143c790fb23
Instruction Fuzzy Hash: 8D915D70E106198FDF60DF69C840B9DB7B1FF89300F208599E549AB395DB74AA85CF90

Function 06B642A8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90562c4129000cf3275ba4935db928c478b97a4f2f3c3327d8c83fb06c74f923
Instruction ID: a1e2191c7216727a8683db8fbb984a319d31db9242f779618c65857a76b1b705
Opcode Fuzzy Hash: 90562c4129000cf3275ba4935db928c478b97a4f2f3c3327d8c83fb06c74f923
Instruction Fuzzy Hash: 8B912C70E106198BDF60DF69C880B9DB7B1FF89310F20C599E549AB395DB70AA85CF90

Function 06B6EBC8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ef6615cadc14d93d33e9baaa4a6384425fc31a1a8881314255c22d0d99c438
Instruction ID: 66d4a28e58a3d46e8892a13339f21fbcc50b128032347f7cf273ba0718cc3388
Opcode Fuzzy Hash: a1ef6615cadc14d93d33e9baaa4a6384425fc31a1a8881314255c22d0d99c438
Instruction Fuzzy Hash: 7A714C75A002099FDB54DFA9C980A9EBBF6FF84304F248569E409EB355DB34EC46CB50

Function 06B6EBD8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53012bd2320936559828991e4fff305bccb41c5f65e681b3d23f4658da6ce79e
Instruction ID: 877c919105cd68fd53bc19431c01d6f969b60e70a6848ca59eaf922f17f78681
Opcode Fuzzy Hash: 53012bd2320936559828991e4fff305bccb41c5f65e681b3d23f4658da6ce79e
Instruction Fuzzy Hash: 43713A75A002499FDB54DFA9C980A9EBBF6FF88304F148469E409EB355DB34EC46CB50

Function 06B6DDF2 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c743b620c0eceb61ba8eaca091337b6cb13d87686c1618a3a25260d15e767ad
Instruction ID: 61a9e8fe3709e6cc43c81bb41b08937932c9eeef48f87b80f79bd62d9b8aab0e
Opcode Fuzzy Hash: 5c743b620c0eceb61ba8eaca091337b6cb13d87686c1618a3a25260d15e767ad
Instruction Fuzzy Hash: 41716F74F102098BDF64DBA9D990BADB7B6EF88300F204465E405EB395DB78DC82CB91

Function 06B6FC61 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f2e522d0071e5752b5d4eec4d20c272f072bc667e12ea3938ec94f247f7456
Instruction ID: 91aea5060c35aef8f39b06edfcb0d01c373f449a1e0e808266e7c97e8bca6353
Opcode Fuzzy Hash: 02f2e522d0071e5752b5d4eec4d20c272f072bc667e12ea3938ec94f247f7456
Instruction Fuzzy Hash: A151F371E01105DFDB24ABB9E4886BDBBBBFF84310F1088B9E106D7255DB359845CB80

Function 06B6F608 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70a098f71e2066ac69aa429eb12d8f0c3ed9a28d7fe53fa6c54dbde9b26f2c7
Instruction ID: 7110016906be928cdff7f1683906abab430228f144ad5f1caa9624c27cee8965
Opcode Fuzzy Hash: d70a098f71e2066ac69aa429eb12d8f0c3ed9a28d7fe53fa6c54dbde9b26f2c7
Instruction Fuzzy Hash: C051C7B5F102148FEF6067ADE95473E266FE789340F20486AE10AD73E8DA7DCC458791

Function 06B6F618 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a12033c659d39bda1c2a5369e30f4206b48ee7909424af2c8f02151284733ce
Instruction ID: e8d9b5d38b91755e0f2cbc5cc13b9d228aa32b08fa26780362dc4112965ab3b0
Opcode Fuzzy Hash: 8a12033c659d39bda1c2a5369e30f4206b48ee7909424af2c8f02151284733ce
Instruction Fuzzy Hash: 9F51C5B5B102148BEF64666DE95473F266FE789350F20486AF10AD33A8DA7DCC458391

Function 06B6DE6D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e42474ee4b14c6bfb95f51836ecfd1e99c7b26fec08408bb0a2f6da206eaa95
Instruction ID: daab9e5093de99745b1df537c44940581285b1f7b117cbc50efea42c5d088129
Opcode Fuzzy Hash: 9e42474ee4b14c6bfb95f51836ecfd1e99c7b26fec08408bb0a2f6da206eaa95
Instruction Fuzzy Hash: 35513CB4F102098BDF64DBA9D9907ADB7B6EF88300F204466E405EB395DB78DC86CB51

Function 06B650EA Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c31536e4bcb5dd79ab22f97d278e28af09901878c6f7e63c29d003ce3c8467
Instruction ID: d80b071d98d16ffb2d382a904136ff77c4312ae4ec39aa492ad7195bdf25be25
Opcode Fuzzy Hash: 41c31536e4bcb5dd79ab22f97d278e28af09901878c6f7e63c29d003ce3c8467
Instruction Fuzzy Hash: 754170B2E006098FDB70CEAAD880AAFFBF1FB55310F10496AE256D7650D334A9558B90

Function 06B6DA20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a8f9f925ad5baa0457e5eca1954fb4fc51d8425a1ea7f5d75739203d3ac503
Instruction ID: 2144c1abbd2207b7b9ce0a67a5f7534b2a844d0a5097b013e8661ad17a4ada8e
Opcode Fuzzy Hash: f6a8f9f925ad5baa0457e5eca1954fb4fc51d8425a1ea7f5d75739203d3ac503
Instruction Fuzzy Hash: D131B070E1420A9FCF24DF69C980ADEB7B6EF85300F108969E505EB354EB74E8468B90

Function 06B62159 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4971700f1a4f1ee19c5c06680a0cfe5b79658f843f31ad717aad6b3281b2d5b6
Instruction ID: 6eb2749c341693b0d9c36601fcc556a5b3a5e21bf5c99e4b3d039a10c2460108
Opcode Fuzzy Hash: 4971700f1a4f1ee19c5c06680a0cfe5b79658f843f31ad717aad6b3281b2d5b6
Instruction Fuzzy Hash: 5731C070E102069BDB58DFA5C958A9EB7B2FF89310F10C52AE806E7350DB35ED42CB40

Function 06B62168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116004d4e9501e1002086a33a86b64a56f1dd73e75f7c87f92739d9063cfeb21
Instruction ID: 51a9e940d32e1005d3b0cecb86a24c6dde25f925b0baaad5fcb9926d8e4161ae
Opcode Fuzzy Hash: 116004d4e9501e1002086a33a86b64a56f1dd73e75f7c87f92739d9063cfeb21
Instruction Fuzzy Hash: 0D31A170E102069BDB58DFA5C954A9EB7B2FF89310F10C52AE806E7350DB35ED42CB40

Function 06B63B78 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951ee6a8a341fab6adb29bec0cfaf31009133bd459e0195adea605dd107b17b3
Instruction ID: 4a0e24a5bb676317b5dafb399970326e0466a8be3225f155540eacbe81d30550
Opcode Fuzzy Hash: 951ee6a8a341fab6adb29bec0cfaf31009133bd459e0195adea605dd107b17b3
Instruction Fuzzy Hash: DA21AD76F006159FDB50DF69E980BAEBBF5EB88710F048069F906E7398E734D8508B90

Function 06B63B88 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37130c1c50c15246f6b258c811f918963a38b511df72157a090d04f25d66b98a
Instruction ID: 92adcf68c98ea8980bc5896d61e8e8243d1032a80e4225a6b27fdc1b6e981570
Opcode Fuzzy Hash: 37130c1c50c15246f6b258c811f918963a38b511df72157a090d04f25d66b98a
Instruction Fuzzy Hash: 28218E76F006159FDB40DF69E980BAEB7F1FB48710F149069E90AE7398E734D9408B94

Function 06B66998 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588c117bdf4e479fd72be1d53feff88008c267394583c9685100ae6b90cbc2e9
Instruction ID: 172fc9fbb40bc420e03c30fb18c1630922858bb318c3835d317f47da65711697
Opcode Fuzzy Hash: 588c117bdf4e479fd72be1d53feff88008c267394583c9685100ae6b90cbc2e9
Instruction Fuzzy Hash: E821F671B101189BCF54DB69E94069EBBBBEB84310F148469E806E7355EB35EC418BC1

Function 0135D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4126362417.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_135d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7a8c5ce9a182278bb249931b1619fd9d962514e0160078101578eb250c3ba3
Instruction ID: b5df7ff788dc072cdd335d8cf23706a0962d87be613d9a894048c7c3f49d5080
Opcode Fuzzy Hash: 5a7a8c5ce9a182278bb249931b1619fd9d962514e0160078101578eb250c3ba3
Instruction Fuzzy Hash: 342122B1504204DFDB51DF58D980F26BBA5EB84B18F20C56DDC0A4B356C33AD447CA62

Function 06B669A8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cf20631fe9192a6d4801fe16e76a3ab6557bc6827c14495397e4ee309a64cf
Instruction ID: f923d4d47c64540dfac7dc3d8548cd81929bf7a1b3ed7ee1bdd6907c0ccdabdc
Opcode Fuzzy Hash: e3cf20631fe9192a6d4801fe16e76a3ab6557bc6827c14495397e4ee309a64cf
Instruction Fuzzy Hash: 5C21AF71B101189BDF94DBAAE95069DB7B6EB84310F108565E806E7394EB35EC418B81

Function 06B6CAAF Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4087b8009bdf608c0a2ff4293c189a7ff802f144332869bb5abcb20f6d00ceda
Instruction ID: ee99aeb72557aa871532b6a98e1b2272dec36b990c7ab5a7005ca52acebdd565
Opcode Fuzzy Hash: 4087b8009bdf608c0a2ff4293c189a7ff802f144332869bb5abcb20f6d00ceda
Instruction Fuzzy Hash: 5C115971F000194FDF50AB3EC480BAEBBA6EB89724F054579E50AD7340DB24EC0287D1

Function 0135D006 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4126362417.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_135d000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fd0a40fe1a1c4f1e79c7b1ff388569e92f9ef3ebfc7b759986ce520c270846
Instruction ID: 97fe62e34d24b940e816f4d6bbeebefb7dddb4fe8d84ebeeec3364108f8ee215
Opcode Fuzzy Hash: 01fd0a40fe1a1c4f1e79c7b1ff388569e92f9ef3ebfc7b759986ce520c270846
Instruction Fuzzy Hash: FF21837550D3C08FD703CF64D994B11BF71AB46214F29C5EBD8498F2A7C23A940ACB62

Function 06B63C98 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20dbcf979e7a48bc303b865ac7404eee020b995ef098f7c1f1b21b6d12e023c0
Instruction ID: a525ff72b9da4a82b2d65058cc525091c9dad4d5eb55318a34e605825a8be340
Opcode Fuzzy Hash: 20dbcf979e7a48bc303b865ac7404eee020b995ef098f7c1f1b21b6d12e023c0
Instruction Fuzzy Hash: 89118E32B101295FCF949A69DC146AE72EAEBC8610F008579E40AE7358EE28DC018BD0

Function 06B63ED0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0a2e069cdcfa2153a089dcad1e09cc3d0ae9684da4e23b8f61dcd4f1411e55
Instruction ID: d41ce97d0f8b269d96f6804d59ba98544f9eab4fc05f99d8625cd7208a530dd1
Opcode Fuzzy Hash: ff0a2e069cdcfa2153a089dcad1e09cc3d0ae9684da4e23b8f61dcd4f1411e55
Instruction Fuzzy Hash: 7701F171B101104BDB6197BD9810B6BA7E6DBC9720F10987AF50AC7356EA29DC0283A1

Function 06B69F98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db894cfe9760a24514608d9a19090b450fe91b458d7bb49139e23cbbfeeeb3d
Instruction ID: 39c2c98a38ab6b0dd2556fa280e3d2bccf69c0b69faaa4d3e0af01e0b8856939
Opcode Fuzzy Hash: 9db894cfe9760a24514608d9a19090b450fe91b458d7bb49139e23cbbfeeeb3d
Instruction Fuzzy Hash: 54118E70B142910FCB62D778985075E7BD2DB46724F0094AAF10ECB356E915DC858380

Function 06B63C87 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9477ac4a0541d0a283048d513426f381d1091ee0ed4cc0dd301dbc27390b0e
Instruction ID: 093b583dd6d8d35f202cd3f28b176bd1ba75593e5e67216f7394a2210d5d6cf2
Opcode Fuzzy Hash: 3f9477ac4a0541d0a283048d513426f381d1091ee0ed4cc0dd301dbc27390b0e
Instruction Fuzzy Hash: 0F01D232F101295BDF549A6A9C187EB77EAEBC8650F005175E50BD3348EB2888168BE0

Function 06B6EE4A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85687bbb915cc2e9d766f9e81eb3908fdea2d0738532fab268e8caeb37aacbdb
Instruction ID: d5ca481aecb815bf47cce5e03b522a25b8bc6016b298a85bc21de9945c14aeb3
Opcode Fuzzy Hash: 85687bbb915cc2e9d766f9e81eb3908fdea2d0738532fab268e8caeb37aacbdb
Instruction Fuzzy Hash: FC012475B281101BCBA2967D9814B7BB7D6CBC6A20F10887AF10AC7340EA15DC4283D2

Function 06B63950 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37c02abed70bb76d4a5375cb82e70422d88ffada6fc499049d87e6fe0062886
Instruction ID: 25552f34738e361dd4696bb423712502f28f3c67e11946eef6ec7242b829a640
Opcode Fuzzy Hash: e37c02abed70bb76d4a5375cb82e70422d88ffada6fc499049d87e6fe0062886
Instruction Fuzzy Hash: 4921E0B5D01619AFCB00CF9AD885ACEFFB8FB48314F10812AE918A7240C774A944CFA5

Function 06B63958 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3521aecb805e967013fbc23f05233c861887176f77f3a8fa3df30c00cbc1ca02
Instruction ID: 076e35bdc2188aff2037a86227929d49c01b7bdbd3c124fd45400d0b97e636d0
Opcode Fuzzy Hash: 3521aecb805e967013fbc23f05233c861887176f77f3a8fa3df30c00cbc1ca02
Instruction Fuzzy Hash: DF11D3B5D012199FCB00CF9AD884ADEFBF4FB48314F10812AE518A7240C774A944CFA5

Function 06B63EE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc578eed95daa117e42731169b1d532a0eb93879f0bb3d85e68fb0f9e23189f
Instruction ID: cf70ef83055229de96ac82222f21bbec40405931a5e579a0f105bb58a0177861
Opcode Fuzzy Hash: 6fc578eed95daa117e42731169b1d532a0eb93879f0bb3d85e68fb0f9e23189f
Instruction Fuzzy Hash: 1401D171B100104BDB649BBED414B6BB2DADBC9B20F10983AF20EC7344EE26DC0283A1

Function 06B6EE58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9affc658438c9902b795fb998ab786ec1a9c21cbe0f77a866ae5eec0dcb14177
Instruction ID: d27db85620c851891785e0bf3ac2499a880c718be088fea7a82d6066c42931a2
Opcode Fuzzy Hash: 9affc658438c9902b795fb998ab786ec1a9c21cbe0f77a866ae5eec0dcb14177
Instruction Fuzzy Hash: D501A479B240104BDBA5AA7E945473FA3D6DBC9A24F10C87AF50EC7344EE26DC434781

Function 06B69FA8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2729ec6eecfba7c69ba8bea215a5d644cab853f2306a8385b2d6b2f3d1148ec5
Instruction ID: 9d40dce2146aecc12c655377068ba56533d8267c4e91d94e0979245c961996c2
Opcode Fuzzy Hash: 2729ec6eecfba7c69ba8bea215a5d644cab853f2306a8385b2d6b2f3d1148ec5
Instruction Fuzzy Hash: 5F01F471B100110FCB60EA7DD45072AB3D6EB89B20F109839F50EC7358EE26EC868780

Function 06B66108 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8493d30a6bc37b32de788f3a5399c8c273f7de694b1b819ed7d9b442855a9b96
Instruction ID: fdcc36e8e20f8c29d02b91780871642b7dead33171dac732140b1b1fefff748f
Opcode Fuzzy Hash: 8493d30a6bc37b32de788f3a5399c8c273f7de694b1b819ed7d9b442855a9b96
Instruction Fuzzy Hash: 4EE022B0E0120CABEF20CAB18D45BAB7BADEB01204F2064D5E408D7103F236DA518392

Non-executed Functions

Function 06B67330 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B677E9
$kq, xrefs: 06B6745D
$kq, xrefs: 06B6787C
$kq, xrefs: 06B67451
$kq, xrefs: 06B67420
$kq, xrefs: 06B67888
$kq, xrefs: 06B677DD
$kq, xrefs: 06B6789E
$kq, xrefs: 06B6742C
$kq, xrefs: 06B67892

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: d3705028661d4c9d5da8002d61100a0e5c7cf0f4f928843d894e8990d71bd0b2
Instruction ID: f83e4441af94ea2b9cf268f9a7ada90221cbfa99bb71c30da3e58825095ff521
Opcode Fuzzy Hash: d3705028661d4c9d5da8002d61100a0e5c7cf0f4f928843d894e8990d71bd0b2
Instruction Fuzzy Hash: FF121C70A102199FDB64DF69C994A9EB7F2FF88304F2085A9D409AB365DF349D85CF80

Function 06B6A5D0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B6A78E
$kq, xrefs: 06B6A721
$kq, xrefs: 06B6A6D2
$kq, xrefs: 06B6A6C6
$kq, xrefs: 06B6A74C
$kq, xrefs: 06B6A758
$kq, xrefs: 06B6A782
$kq, xrefs: 06B6A72D

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: c5b7f3f546c30b7ca4207bb41bf0984d10eab0c2c248f8309e9d3b69809eb7ff
Instruction ID: eb21bdc98c78c751e3434b9b8bfa05eef8aa6f4a5c6683111aaa1f955a2f97aa
Opcode Fuzzy Hash: c5b7f3f546c30b7ca4207bb41bf0984d10eab0c2c248f8309e9d3b69809eb7ff
Instruction Fuzzy Hash: F7917E70A00209DFDF64EF6AD98476EB7F2EF44300F208569E402A73A5DB79AD41CB90

Function 06B66D30 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B67238
$kq, xrefs: 06B671CC
$kq, xrefs: 06B67078
$kq, xrefs: 06B67244
$kq, xrefs: 06B6706C
$kq, xrefs: 06B67012

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 9aebd6a327c2ccd8c1d41a6798c44ccd98e7511cdc472552da57add0beb2266d
Instruction ID: c8e4cf2af29596d147cc8f98cb00bf887f4763e064e069e53065e98153963713
Opcode Fuzzy Hash: 9aebd6a327c2ccd8c1d41a6798c44ccd98e7511cdc472552da57add0beb2266d
Instruction Fuzzy Hash: C8F14E70B00209CFDB54EFA5D594A6EB7B2FF88304F248569E4059B369DB75EC86CB40

Function 06B6BAB0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B6BC7D
$kq, xrefs: 06B6BCBD
$kq, xrefs: 06B6BC89
$kq, xrefs: 06B6BCB1
$kq, xrefs: 06B6BC55
$kq, xrefs: 06B6BC49

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 2b079a66b1659db06fd54ee0a0b9a76a98c10e2976287e5d77d45bd10dbb90b4
Instruction ID: 54ba147b1abe8b9a996f68cbecc772880070648de3daabd3c837ed41b8b3950f
Opcode Fuzzy Hash: 2b079a66b1659db06fd54ee0a0b9a76a98c10e2976287e5d77d45bd10dbb90b4
Instruction Fuzzy Hash: 4871BF71A102098FDB68DF6AD5406AEB7F2FF85300F2085AAE406DB354DB79E951CB81

Function 06B68068 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B682C2
$kq, xrefs: 06B68327
$kq, xrefs: 06B68333
$kq, xrefs: 06B682CE

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: f5e8bad6cd80b71e2a30ab9ec6f2c3c35c9720928f5077c06d15207e26c86ca0
Instruction ID: 812307b710e5d0186d070890d276046010c10148065ee0eabf2f6577c5ffd7ed
Opcode Fuzzy Hash: f5e8bad6cd80b71e2a30ab9ec6f2c3c35c9720928f5077c06d15207e26c86ca0
Instruction Fuzzy Hash: 6BB15D70E00219CFDB64EF69D5946AEB7B2FF88300F248469E4059B395DB79DC86CB90

Function 06B6A95A Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B6AADC
$kq, xrefs: 06B6AA89
$kq, xrefs: 06B6AB34
$kq, xrefs: 06B6AB0B

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 10ef53e03c25749abdb1e9b8e18e189913b4600149fca5c26e5a1a2baa5b331e
Instruction ID: 8878ef9b764a479307cb26d3439036409ba14f410e26c6c063eb0024a8f72cc4
Opcode Fuzzy Hash: 10ef53e03c25749abdb1e9b8e18e189913b4600149fca5c26e5a1a2baa5b331e
Instruction Fuzzy Hash: F251AF70F102099FDF65EB69D5846AEB3F2EB48300F2495AAE405E7395DB39EC41CB90

Function 06B68480 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06B685C2
$kq, xrefs: 06B6850B
LRkq, xrefs: 06B68573
$kq, xrefs: 06B684FF

Memory Dump Source

Source File: 00000002.00000002.4131227648.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b60000_RICHIESTA D'OFFERTA.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 569ec1c14c374101f946c278fbd3883245174603e1f9c1043b984b223e2a8535
Instruction ID: 17698b6f07ce38a0c747964f8a5d58455c5d5f86cf6ffbc24e19dfbad1476125
Opcode Fuzzy Hash: 569ec1c14c374101f946c278fbd3883245174603e1f9c1043b984b223e2a8535
Instruction Fuzzy Hash: B651E771B002059FDB58EB29D990A6A77F6FF48300F1485A9E5069B3A9DB74EC44CBA0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RICHIESTA D'OFFERTA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RICHIESTA D'OFFERTA.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
RICHIESTA D'OFFERTA.exe

Function 04E61793 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Function 070BBE44 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 070BBE50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0270AD88 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Function 04E618F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 027044B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0270590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 070B86CB Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 04E64050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre