Edit tour

Windows Analysis Report
QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Overview

General Information

Sample name:	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original sample name:	QUOTATION_AUGQTRA071244PDF.scr.exe
Analysis ID:	1564717
MD5:	85ac1b5c91ec2ad9d0935f550aa465f5
SHA1:	2995a582f3294f3688c181e97dbedb7ced01d23b
SHA256:	90fc942adbe09f92833f3d9f6d7ceb3c528da16f360445221de6e3dcc301e00a
Tags:	exescruser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

QUOTATION_AUGQTRA071244#U00faPDF.scr.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe" MD5: 85AC1B5C91EC2AD9D0935F550AA465F5)

WerFault.exe (PID: 5808 cmdline: C:\Windows\system32\WerFault.exe -u -p 6180 -s 2296 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: \assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.pdbzZ) source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.PDB source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: QUOTATION_AUGQTRA071244#U00faPDF.scr.PDB source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdbH source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbw source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr

Source: global traffic	HTTP traffic detected: GET /data-package/3zQMDtTK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/3zQMDtTK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.21.13.139 104.21.13.139

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /data-package/3zQMDtTK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /data-package/3zQMDtTK/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: filetransfer.io

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282372000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2822A1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28234C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filetransfer.io
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	String found in binary or memory: http://filetransfer.io/data-package/3zQMDtTK/download
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://palo-alto.cz/
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2822A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28235A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28235A000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28234C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/data-package/3zQMDtTK/download
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filetransfer.io/dist/filetransfer-social-en.389488efe49681ac059b218c21161d72.png
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.filetransfer.io/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6180 -s 2296

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static PE information: No import functions for PE file found

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000000.1705363114.000001F2806B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOodqtxmg.exe> vs QUOTATION_AUGQTRA071244#U00faPDF.scr.exe
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Binary or memory string: OriginalFilenameOodqtxmg.exe> vs QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Source: classification engine

Classification label: mal68.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6180

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1bb7a007-0d14-4f8e-8a3a-1b97b1f75b18

Jump to behavior

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

File read: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe "C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe"
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6180 -s 2296

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: \assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.pdbzZ) source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Xml.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.PDB source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: QUOTATION_AUGQTRA071244#U00faPDF.scr.PDB source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdbH source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbw source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2355544566.000001F29AC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354257737.0000001785DF5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERDE85.tmp.dmp.3.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERDE85.tmp.dmp.3.dr

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Memory allocated: 1F280A00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Memory allocated: 1F29A2A0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596763	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 537588	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 6673			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Window / User API: threadDelayed 2699			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 5316	Thread sleep count: 6673 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 5316	Thread sleep count: 2699 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98777s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98294s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98147s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -98046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97801s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -596874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -596763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe TID: 6308	Thread sleep time: -537588s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99108	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98888	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98777	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98561	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98294	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98147	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 98046	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97801	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97466	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 596763	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Thread delayed: delay time: 537588	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354582860.000001F2808E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Queries volume information: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	100%	Avira	TR/Dldr.Agent.rundk
QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
filetransfer.io	104.21.13.139	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://filetransfer.io/data-package/3zQMDtTK/download	false		high
http://filetransfer.io/data-package/3zQMDtTK/download	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://filetransfer.io	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28235A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.3.dr	false	high
https://filetransfer.io/dist/filetransfer-social-en.389488efe49681ac059b218c21161d72.png	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://palo-alto.cz/	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://filetransfer.io	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282372000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2822A1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F28234C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2822A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.filetransfer.io/	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F282395000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, 00000000.00000002.2354985999.000001F2823B1000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.13.139	filetransfer.io	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564717
Start date and time:	2024-11-28 18:38:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe renamed because original name is a hash value
Original Sample Name:	QUOTATION_AUGQTRA071244PDF.scr.exe
Detection:	MAL
Classification:	mal68.winEXE@2/5@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QUOTATION_AUGQTRA071244#U00faPDF.scr.exe, PID 6180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
12:39:26	API Interceptor	46x Sleep call for process: QUOTATION_AUGQTRA071244#U00faPDF.scr.exe modified
12:40:30	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.13.139	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/aFTjGwJu/download
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/aFTjGwJu/download
	QUOTATION_MAYQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mAdHjYPt/download
	B73X15Rsu7.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/mU5kQOzV/download
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/FUq5fnFw/download
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/GWyzXjYcdownload
	Price List MAYQTRA031244PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/ku7hiEQr/download
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/aPtWC5T9/download
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/EN1H0b0j/download
	Payment Slip (SWIFT)#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/sooHKfZ9/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
filetransfer.io	PO_203-25.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.200.96
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	104.21.76.84
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.82.174
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	104.21.13.139
	tnljashd27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.13.139
	sdfgdsfkjg27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.13.139
	tnkjasdhf27.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	104.21.13.139
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.13.139
	#U8b49#U64da_89004161-000002102-66_20241128#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.13.139
	SITHIPHORN_Doc2709202400000.exe	Get hash	malicious	AgentTesla	Browse	104.21.13.139
	Document BT24#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.13.139
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.21.13.139
	file.exe	Get hash	malicious	Unknown	Browse	104.21.13.139

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_W3DWDTBUVWCO2ZCA_81040177d536b979a7a4c1d277cd9b7e7d8788_d85870c9_d6de2a2d-37dc-4ffa-bc54-64b7a19bdd17\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2059840896296348
Encrypted:	false
SSDEEP:	192:0CSRMBy9amIeBIP0UWbzt/MaWB+lPIUMmzuiF5Z24lO8jWF:VzBGMeBTU6zKamIgVmzuiF5Y4lO8aF
MD5:	202C130079DAFC1BF4BF43904DC0594E
SHA1:	3D6B9EAF2405CBBDE7719082F149330E8942B18A
SHA-256:	C8DC39BA0E1AE4CED203D4EB3580C82E914E5B966F166AA061AE8D2D7A253A09
SHA-512:	E768D8DD75D8652A8AFEB84FE66C25FD1ACE9A0B7DCE827374E809578FEB9C59D86250ABCB72211E2561DC529FDB2CCA3BF0065F5A3BE318024D31A642895D6C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.2.8.9.1.7.1.9.3.0.8.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.2.8.9.1.7.2.5.7.1.4.5.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.d.e.2.a.2.d.-.3.7.d.c.-.4.f.f.a.-.b.c.5.4.-.6.4.b.7.a.1.9.b.d.d.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.6.7.c.6.a.c.-.6.1.9.e.-.4.1.1.4.-.b.c.0.d.-.3.9.d.9.9.4.f.d.a.c.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.U.O.T.A.T.I.O.N._.A.U.G.Q.T.R.A.0.7.1.2.4.4.#.U.0.0.f.a.P.D.F...s.c.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.o.d.q.t.x.m.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.4.-.0.0.0.1.-.0.0.1.4.-.1.4.1.a.-.0.f.7.8.b.c.4.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.7.4.9.d.f.2.5.6.d.9.2.3.a.e.0.c.9.7.f.9.d.1.7.7.b.b.7.9.7.b.7.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.9.5.a.5.8.2.f.3.2.9.4.f.3.6.8.8.c.1.8.1.e.9.7.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE85.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Nov 28 17:39:32 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	516759
Entropy (8bit):	2.8586053363996387
Encrypted:	false
SSDEEP:	3072:uQmqe3+vJ7Oedm4QERj+cSGP6pCbgSXX1CCqzo7HTI75K:uMe3Qm4CGCpGZnqk7+Y
MD5:	CFD438043BA51B00EC4D0EC2F7FAC0C1
SHA1:	306783E14610553F71CAD0FF2BD8F46EA688D57C
SHA-256:	AB57F034DE8364E720F1838F655D852800D353C92C874064B52B7C2939AD029A
SHA-512:	61C735891DA1CC9A94BADD3942A30FD08707E964E8AB2005857CDFF2350FBD23D2D578C9745266112F3F40255404C15FEDCE3F4B81CBBE449F67A65237D09572
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Hg....................................<...p(...........(......d4.............l.......8...........T............Y..............@3..........,5..............................................................................eJ.......5......Lw......................T.......$....Hg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE07A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8894
Entropy (8bit):	3.708296562307588
Encrypted:	false
SSDEEP:	192:R6l7wVeJXVuh6Y99Zkr4gmfZknprD989b5E4zRWfRzm:R6lXJch6YnZ/gmfmE5EcRWfo
MD5:	BF53736709EE87CD2271B30E7E4DEA41
SHA1:	CDB66CE504C03A07DE8A7231687CB16F9267924B
SHA-256:	2C5A25C96F69CA202A392CBF1713F99CDF10F0D91EC7502E9FFF21C235BC7A62
SHA-512:	09DA14EF7BA7F935C65500D35C2CCA96DEECDA674D2BB5EE2C9532EA51C789993A8EB4A1FA0DC1693571737BCC9C9199961A0E46B7A3EFE5AB276E0B45532031
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE09B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4905
Entropy (8bit):	4.577200082038158
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmNJg771I9ytWpW8VY6vYm8M4JgKZ/EqsFJPyq8vQEqsVKZuSKZugd:uIjfmnI7lc7VByJ3ZcrWtrgZu5Zugd
MD5:	B970FF86A11515813EAFCCB164B99A30
SHA1:	61819AB75F6267D945936B011D8ABAADA248FF88
SHA-256:	F0B1072DDBA1BF834ABC57F96E6C1A011208FEE57002C0339A9744178D158623
SHA-512:	8EF47400EF3E657B99C71C044313A085F354B7DA2490A8C9C35BD2A5B84DCB6B90991BCBBEE7D18C630AA277CF8CA009EEFB2EEFA60852C89AEEBC349EBF016D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="608202" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465914216917608
Encrypted:	false
SSDEEP:	6144:OIXfpi67eLPU9skLmb0b47WSPKaJG8nAgejZMMhA2gX4WABl0uN7dwBCswSbJ:DXD947WlLZMM6YFH5+J
MD5:	B19EF4EA681FBD32218CE4881E1BAEEC
SHA1:	82AA0BE69F4FCC6EF47E30889578E496BB9C8CDB
SHA-256:	FC78713CCB05615995B10ED850E99DCCC21C15DCFA4AD90C0BF4A02CCCD76CC4
SHA-512:	2CD1087176F473533E7E55926755527A3E2B3914BDCCC73AA081745FFA9AC560CAE8C0C986F55955729FC62E1F17C58224EFA72AF20AFC021C2794400D16118B
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR.k{.A..............................................................................................................................................................................................................................................................................................................................................H.\|O........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.4996259326239583
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe
File size:	380'928 bytes
MD5:	85ac1b5c91ec2ad9d0935f550aa465f5
SHA1:	2995a582f3294f3688c181e97dbedb7ced01d23b
SHA256:	90fc942adbe09f92833f3d9f6d7ceb3c528da16f360445221de6e3dcc301e00a
SHA512:	29081674a4c69f2169a94dd1d9040d4c442e433fc082fdf3b99f98dc4a2c13dce6a22c65fe03eeffdae69218f5378e7bda56327692035144120732d41b7b79f4
SSDEEP:	768:LnUQ28UnGSnyAWkaHRQTwdYF4H4447iiL1r:rUQ28UnbyAWNHRUmYF4H444lr
TLSH:	6084B950AF6494B4E921FDB52B89E730D25B6CA236216F426D84339B75F36D0BF07328
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....a.f.........."...... ............... ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	98306c8c8eb282c4

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D061E9 [Thu Aug 29 11:56:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x5ad4a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1fa4	0x2000	9e4e13fcc1aed8901a3dc0321da93b54	False	0.5435791015625	data	5.6409456045064035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x5ad4a	0x5ae00	8e3a4f40e4183c86284ffd8228d1e05b	False	0.038632651306740026	data	1.3336876001673414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4094	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m	0.026130277835310828
RT_ICON	0x460e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.26861702127659576
RT_ICON	0x4656c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.11275933609958506
RT_ICON	0x48b38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.13930581613508441
RT_ICON	0x49c04	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.04588607594936709
RT_ICON	0x5a450	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.08384506376948513
RT_GROUP_ICON	0x5e6b4	0x5a	data	0.7555555555555555
RT_VERSION	0x5e74a	0x3da	data	0.4107505070993915
RT_MANIFEST	0x5eb60	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:39:28.015398979 CET	49730	80	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:28.135526896 CET	80	49730	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:28.135715961 CET	49730	80	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:28.139251947 CET	49730	80	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:28.259346962 CET	80	49730	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:29.541347980 CET	80	49730	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:29.581908941 CET	49730	80	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:29.664035082 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:29.664098024 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:29.664172888 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:29.733417034 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:29.733452082 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.046787977 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.046989918 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.051179886 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.051211119 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.051481962 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.097182989 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.103210926 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.147346973 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965652943 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965697050 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965738058 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965768099 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965770960 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.965801001 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.965812922 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.979922056 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.979999065 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.980031967 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.991401911 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:31.991502047 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:31.991532087 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:32.013056040 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:32.013089895 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:32.013183117 CET	443	49731	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:32.013206959 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:32.013262033 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:32.030497074 CET	49731	443	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:32.030792952 CET	49730	80	192.168.2.4	104.21.13.139
Nov 28, 2024 18:39:32.209575891 CET	80	49730	104.21.13.139	192.168.2.4
Nov 28, 2024 18:39:32.209638119 CET	49730	80	192.168.2.4	104.21.13.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 18:39:27.858163118 CET	59841	53	192.168.2.4	1.1.1.1
Nov 28, 2024 18:39:28.000431061 CET	53	59841	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 18:39:27.858163118 CET	192.168.2.4	1.1.1.1	0xb1c5	Standard query (0)	filetransfer.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 18:39:28.000431061 CET	1.1.1.1	192.168.2.4	0xb1c5	No error (0)	filetransfer.io		104.21.13.139	A (IP address)	IN (0x0001)	false
Nov 28, 2024 18:39:28.000431061 CET	1.1.1.1	192.168.2.4	0xb1c5	No error (0)	filetransfer.io		172.67.200.96	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

filetransfer.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.13.139	80	6180	C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 18:39:28.139251947 CET	95	OUT	GET /data-package/3zQMDtTK/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
Nov 28, 2024 18:39:29.541347980 CET	1021	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 28 Nov 2024 17:39:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://filetransfer.io/data-package/3zQMDtTK/download cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qD%2F0vVR6lkj6LlJf7w%2FNY9hjJh4%2B0rTg90rTU8bWdo%2FRt8iwplexGNs3nFaLSBF8Ibzcgj0ZlAiwX1ULSPmrKtnjDZy18qo85WLlbF6kDfzcwdbQQ4nvClwAeTWLndLh3qw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9c233b381f8c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1805&min_rtt=1805&rtt_var=902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=95&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.13.139	443	6180	C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 17:39:31 UTC	95	OUT	GET /data-package/3zQMDtTK/download HTTP/1.1 Host: filetransfer.io Connection: Keep-Alive
2024-11-28 17:39:31 UTC	1234	IN	HTTP/1.1 430 Unknown status Date: Thu, 28 Nov 2024 17:39:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Nette Framework 3 X-Frame-Options: SAMEORIGIN Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly Set-Cookie: PHPSESSID=e82ead49t5tlf0mktmj3u36bi5; expires=Thu, 12-Dec-2024 17:39:31 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: X-Requested-With Vary: X-Requested-With cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=49Nzk42ngRkkL%2F00icgMm5OF3wfHrlP71lwW6Rk5yYDeuYf3K3Kc%2BGfufqw72dx20kc1j8N4zwV%2FIwx1xHvHV0RzG%2Fo3ip77N4xXOZgEkXSl%2FgIJepvAA6hKv7HDs5gQUoI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9c2348fb3ac3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1529&min_rtt=1522&rtt_var=576&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=709&delivery_rate=1918528&cwnd=246&unsent_bytes=0&cid=7a3f4b85517f3367&ts=932&x=0"
2024-11-28 17:39:31 UTC	135	IN	Data Raw: 33 33 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 37 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 38 20 Data Ascii: 33dc<!DOCTYPE html>...[if lt IE 8 ]><html lang="cs" class="ie7 no-js"> <![endif]-->...[if lt IE 9 ]><html lang="cs" class="ie8
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 31 30 20 5d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 20 63 6c 61 73 73 3d 22 69 65 39 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 31 30 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 73 22 0a 09 20 20 64 61 74 61 2d 64 65 66 61 75 6c 74 2d 74 69 6d 65 7a 6f 6e 65 3d 22 45 74 63 2f 55 54 43 22 20 64 61 74 61 2d 6f 6c 64 2d 62 72 6f 77 73 65 72 2d 75 72 6c 3d 22 2f 75 6e 73 75 70 70 6f 72 74 65 64 2d 62 72 6f 77 73 65 72 3f 6f 6c 64 3d 31 22 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 2d 6c 61 79 6f 75 74 20 6e 6f 2d 6a 73 20 70 72 Data Ascii: no-js"> <![endif]-->...[if lt IE 10 ]><html lang="cs" class="ie9 no-js"> <![endif]-->...[if (gt IE 10)\|!(IE)]>...><html lang="cs" data-default-timezone="Etc/UTC" data-old-browser-url="/unsupported-browser?old=1" class="responsive-layout no-js pr
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 61 76 69 63 6f 6e 2f 31 39 32 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 39 36 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 73 6f 6c 69 64 2f 31 32 38 2e 70 6e 67 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 36 30 Data Ascii: avicon/192.png"><link rel="apple-touch-icon-precomposed" sizes="96x96" href="/img/favicon/solid/96.png"><link rel="apple-touch-icon-precomposed" sizes="128x128" href="/img/favicon/solid/128.png"><link rel="apple-touch-icon-precomposed" sizes="160
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 31 34 34 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 37 30 78 37 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 74 69 6e 79 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 73 71 75 61 72 65 31 35 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 2f 73 71 75 61 72 65 2e 70 6e 67 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 77 69 64 65 33 31 30 78 31 35 30 6c 6f 67 6f 22 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e Data Ascii: t="/img/favicon/144.png"><meta name="msapplication-square70x70logo" content="/img/favicon/ms/tiny.png"><meta name="msapplication-square150x150logo" content="/img/favicon/ms/square.png"><meta name="msapplication-wide310x150logo" content="/img/favicon
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 75 20 6d 61 6b 65 20 61 20 74 79 70 6f 20 61 74 20 74 68 65 20 62 65 67 69 6e 6e 69 6e 67 20 6f 66 20 79 6f 75 20 65 2d 6d 61 69 6c 20 61 64 64 72 65 73 73 3f 20 49 66 20 74 68 69 73 20 72 65 61 6c 6c 79 20 69 73 20 74 68 65 20 63 6f 72 72 65 63 74 20 62 65 67 69 6e 6e 69 6e 67 20 6f 66 20 79 6f 75 20 65 2d 6d 61 69 6c 2c 20 70 72 65 73 73 20 65 6e 74 65 72 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 75 70 6c 6f 61 64 46 61 69 6c 65 64 20 3d 20 22 57 65 20 61 72 65 20 73 6f 72 72 79 20 62 75 74 20 74 68 65 20 66 69 6c 65 20 75 70 6c 6f 61 64 20 63 6f 75 6c 64 6e 27 74 20 62 65 20 72 65 73 74 6f 72 65 64 2e 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 61 6c 65 72 74 73 2e 63 6f 6e 66 69 72 6d 55 70 6c 6f 61 64 41 62 6f 72 74 Data Ascii: u make a typo at the beginning of you e-mail address? If this really is the correct beginning of you e-mail, press enter."; MESSAGES.alerts.uploadFailed = "We are sorry but the file upload couldn't be restored."; MESSAGES.alerts.confirmUploadAbort
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 6c 65 73 2e 62 61 73 65 54 69 74 6c 65 20 3d 20 22 20 2d 20 46 69 6c 65 54 72 61 6e 73 66 65 72 2e 69 6f 22 3b 0a 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 64 61 79 73 20 3d 20 22 64 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 68 6f 75 72 73 20 3d 20 22 68 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 6d 69 6e 75 74 65 73 20 3d 20 22 6d 22 3b 0a 20 20 20 20 4d 45 53 53 41 47 45 53 2e 74 69 6d 65 2e 73 68 6f 72 74 63 75 74 73 2e 73 65 63 6f 6e 64 73 20 3d 20 22 73 22 3b 0a 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 0a 09 09 64 61 74 61 2d 62 79 74 65 73 2d 70 65 72 2d 6b 62 3d 22 31 Data Ascii: les.baseTitle = " - FileTransfer.io"; MESSAGES.time.shortcuts.days = "d"; MESSAGES.time.shortcuts.hours = "h"; MESSAGES.time.shortcuts.minutes = "m"; MESSAGES.time.shortcuts.seconds = "s";</script></head><bodydata-bytes-per-kb="1
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 65 6d 20 78 73 2d 76 69 73 69 62 6c 65 22 3e 0a 09 09 09 09 09 4c 6f 67 20 69 6e 0a 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 61 3e 0a 09 09 09 3c 21 2d 2d 20 2e 61 63 63 6f 75 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 6e 61 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 20 6d 64 2d 69 6e 76 69 73 69 62 6c 65 20 75 6e 64 65 72 6c 69 6e 65 22 3e 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6e 61 76 69 67 61 74 69 6f 6e 2d 74 72 69 67 67 65 72 2d 69 63 6f 6e 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 31 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 32 22 3e 2d 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 Data Ascii: em xs-visible">Log in</span></a>... .account --><nav><div class="navigation-trigger md-invisible underline"><span class="navigation-trigger-icon"><span class="line-1">-</span><span class="line-2">-</span>
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 64 20 69 74 20 66 72 6f 6d 20 74 68 65 20 73 65 72 76 65 72 2e 0a 09 09 09 09 09 09 3c 2f 70 3e 0a 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 20 2d 2d 3e 0a 0a 0a 09 09 09 09 09 09 09 09 09 0a 0a 09 09 09 09 09 09 3c 2f 73 65 63 74 69 6f 6e 3e 0a 09 09 09 09 09 09 3c 21 2d 2d 20 2e 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0a 0a 09 09 3c 68 72 3e 0a 0a 09 09 3c 66 6f 6f 74 65 72 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 20 65 6e 22 20 69 64 3d 22 73 6e 69 70 70 65 74 2d 2d 66 6f 6f 74 65 72 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 20 63 6f 6c 75 6d 6e 73 2d 73 65 70 20 63 6f 6c 75 6d 6e 73 2d 67 61 70 2d 67 6c 75 65 64 20 63 6f 6c 75 6d 6e 73 20 6d 64 2d 33 22 3e 0a Data Ascii: d it from the server.</p></div>... .content-header --></section>... .content --><hr><footer class="footer en" id="snippet--footer"><div class="box columns-sep columns-gap-glued columns md-3">
2024-11-28 17:39:31 UTC	1369	IN	Data Raw: 3c 2f 64 69 76 3e 0a 09 09 09 3c 21 2d 2d 20 2e 63 6f 6c 75 6d 6e 73 20 2d 2d 3e 0a 0a 0a 09 09 09 3c 6e 61 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 6e 61 76 69 67 61 74 69 6f 6e 22 3e 0a 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 43 6f 6e 74 61 63 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 63 6f 6e 74 61 63 74 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e 43 6f 6e 74 61 63 74 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 61 3e 0a 09 09 09 26 6d 69 64 64 6f 74 3b 0a 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 46 41 51 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 66 72 65 71 75 65 6e 74 2d 71 75 65 73 74 69 6f 6e 73 Data Ascii: </div>... .columns --><nav class="footer-navigation"><a title="Contact" class="underline" href="/contact"><span class="underline-item">Contact</span></a>·<a title="FAQ" class="underline" href="/frequent-questions
2024-11-28 17:39:32 UTC	1369	IN	Data Raw: 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 26 6d 69 64 64 6f 74 3b 0a 09 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 57 65 73 65 6e 64 69 74 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 77 65 73 65 6e 64 69 74 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 2d 69 74 65 6d 22 3e 57 65 73 65 6e 64 69 74 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 26 6d 69 64 64 6f 74 3b 0a 09 09 09 09 09 3c 61 20 74 69 74 6c 65 3d 22 41 6c 74 65 72 6e 61 74 69 76 65 20 74 6f 20 57 6f 72 6b 75 70 6c 6f 61 64 22 20 63 6c 61 73 73 3d 22 75 6e 64 65 72 6c 69 6e 65 22 20 68 72 65 66 3d 22 2f 77 6f 72 6b 75 Data Ascii: </span></a>·<a title="Alternative to Wesendit" class="underline" href="/wesendit"><span class="underline-item">Wesendit</span></a>·<a title="Alternative to Workupload" class="underline" href="/worku

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: QUOTATION_AUGQTRA071244#U00faPDF.scr.exePID: 6180, Parent PID: 2580

General

Target ID:	0
Start time:	12:39:26
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\QUOTATION_AUGQTRA071244#U00faPDF.scr.exe"
Imagebase:	0x1f280670000
File size:	380'928 bytes
MD5 hash:	85AC1B5C91EC2AD9D0935F550AA465F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5808, Parent PID: 6180

General

Target ID:	3
Start time:	12:39:31
Start date:	28/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6180 -s 2296
Imagebase:	0x7ff70f810000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: QUOTATION_AUGQTRA071244#U00faPDF.scr.exePID: 6180, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B8A17BA Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775016927ae9fc9ad06d5588b9aaf9bce6c9aa64e535201028bedb9b8a0deb61
Instruction ID: 59e513016d0a39ad4b13068f098907db003634f00f12216f251957a52cd68fad
Opcode Fuzzy Hash: 775016927ae9fc9ad06d5588b9aaf9bce6c9aa64e535201028bedb9b8a0deb61
Instruction Fuzzy Hash: 6D51C130A0CB4C4FDB58EF98D8556EDBBF1EF99310F0442ABD049D7256CA34A845CB82

Function 00007FFD9B8A17A5 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c36b4db5187917ae59bd40da0d9e5a80f43680c92bdbbeb5fe878787c77bf9b
Instruction ID: b00bf9dc31cbf40ddc39bd11e23d62cbf0433f5cd987fcf096a831c2ddf078a6
Opcode Fuzzy Hash: 9c36b4db5187917ae59bd40da0d9e5a80f43680c92bdbbeb5fe878787c77bf9b
Instruction Fuzzy Hash: 9151B130A08B1C8FDB58EF98D8556EDBBE1FF99310F00826BD449D7256DA34A845CB82

Function 00007FFD9B8A093D Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e9943ecce1640ee4f477c8f3bcbaf9e6897b8638fcdffb605fe39cd1e259e1
Instruction ID: 8c376d2a5dd7c142005054cdab2e516442696431a3c983d6cb8a3ae4fd01248b
Opcode Fuzzy Hash: c5e9943ecce1640ee4f477c8f3bcbaf9e6897b8638fcdffb605fe39cd1e259e1
Instruction Fuzzy Hash: 80411411F2E95E4BF7B4ABA854B12B963C1EF8CB50F5A0076D04EC32E6ED2879025351

Function 00007FFD9B8A07C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ea601fbe49c9d2730783e51f285169d90f049d28219858873e6915984f882f
Instruction ID: f5b7076e9ee96576c7caa9e33ae2cb48f8f32d4f00db8caafa0435ad05f886d8
Opcode Fuzzy Hash: 92ea601fbe49c9d2730783e51f285169d90f049d28219858873e6915984f882f
Instruction Fuzzy Hash: FC41E142E1F6C94FF73113B82C35079AE509F4AB50B1A41BFD0EC8A4E789096E45C7A7

Function 00007FFD9B8A0B82 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17860c7b6422dd9526f83e61cd80f94d855a60c07218059f1dbfcd5ddd2ff8f
Instruction ID: 0a545b991d007f57aa7f481fa13060bbd98ded053e99b54bc70b0c61c9f943c8
Opcode Fuzzy Hash: c17860c7b6422dd9526f83e61cd80f94d855a60c07218059f1dbfcd5ddd2ff8f
Instruction Fuzzy Hash: E9112E30B6D40A8FE7B8CB64816077872A2EF4C754F6604B9D10FC7AE9CE28A9419751

Function 00007FFD9B8A08C9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3703e0796e9fa488824d7d7e4709e6c9b9b7fb0c2df71449dbfa5cb3f130c2
Instruction ID: d33a6428ff56f1f84379768378a80af4083b0471b6c201adc13c4039f5576d51
Opcode Fuzzy Hash: fd3703e0796e9fa488824d7d7e4709e6c9b9b7fb0c2df71449dbfa5cb3f130c2
Instruction Fuzzy Hash: 3001F242F2EA8A0FE3B457B818B95B51F90DF9D640B0A02B7E00DC71F3EC1829468311

Function 00007FFD9B8A0AD5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e909fbdb0fad43d5eaf4cf722836d6b5b1804fa09497cfe363e6c879f4a808b2
Instruction ID: 04cda64e9a79c63ac3e619695d4522d4d91647914615dae6506c57b340d5a121
Opcode Fuzzy Hash: e909fbdb0fad43d5eaf4cf722836d6b5b1804fa09497cfe363e6c879f4a808b2
Instruction Fuzzy Hash: 48F06562F1E84D4FFBA4565C546C2382391EF99B6174A0277D44EC3291EE195C025350

Function 00007FFD9B8A0C8F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557170556f2d00822e96215c4b61b49b3eb9ea14249aa5091eb5fa59a9fd9c42
Instruction ID: b74e10eb26d6ffdb8e6d0a94a169ec6b55f10586beaa04a77ffb1d72c175adcf
Opcode Fuzzy Hash: 557170556f2d00822e96215c4b61b49b3eb9ea14249aa5091eb5fa59a9fd9c42
Instruction Fuzzy Hash: 12E07D3250FA4C1BCB00EB9A6C648C63FA8FBCE358F01022BF44CC7141E2129651C311

Function 00007FFD9B8A0C8E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2356059212.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8a0000_QUOTATION_AUGQTRA071244#U00faPDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5ca7f59313b20fd98c83b0dbdbb97775081870e5bd0195d66926dfb2189630
Instruction ID: 7a5e0728ded2b383018f132c3581cbae7c228d6ffc2cdbad55d7d313576e29d3
Opcode Fuzzy Hash: 2a5ca7f59313b20fd98c83b0dbdbb97775081870e5bd0195d66926dfb2189630
Instruction Fuzzy Hash: 02E0263250BA4C4BCB00ABE96C644C93BA4FB8D314F00022BF54CC7141E6219651C701

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION_AUGQTRA071244#U00faPDF.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_W3DWDTBUVWCO2ZCA_81040177d536b979a7a4c1d277cd9b7e7d8788_d85870c9_d6de2a2d-37dc-4ffa-bc54-64b7a19bdd17\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE85.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE07A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE09B.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
QUOTATION_AUGQTRA071244#U00faPDF.scr.exe