Edit tour

Windows Analysis Report
RENH3RE2025QUOTE.exe

Overview

General Information

Sample name:	RENH3RE2025QUOTE.exe
Analysis ID:	1590628
MD5:	330e82d1533a039ed8c68e0c40bf7d61
SHA1:	cfd41e1636eccd3b47ee9cdcdc5351fe3c3cefa7
SHA256:	778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
Tags:	exeuser-TeamDreier
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RENH3RE2025QUOTE.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe" MD5: 330E82D1533A039ED8C68E0C40BF7D61)

powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7812 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RENH3RE2025QUOTE.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe" MD5: 330E82D1533A039ED8C68E0C40BF7D61)

RENH3RE2025QUOTE.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe" MD5: 330E82D1533A039ED8C68E0C40BF7D61)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1849425007.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.3066826345.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb4f:$a1: get_encryptedPassword 0x2696f:$a1: get_encryptedPassword 0xfe77:$a2: get_encryptedUsername 0x26c97:$a2: get_encryptedUsername 0xf8ea:$a3: get_timePasswordChanged 0x2670a:$a3: get_timePasswordChanged 0xfa0b:$a4: get_passwordField 0x2682b:$a4: get_passwordField 0xfb65:$a5: set_encryptedPassword 0x26985:$a5: set_encryptedPassword 0x114c1:$a7: get_logins 0x282e1:$a7: get_logins 0x11172:$a8: GetOutlookPasswords 0x27f92:$a8: GetOutlookPasswords 0x10f64:$a9: StartKeylogger 0x27d84:$a9: StartKeylogger 0x11411:$a10: KeyLoggerEventArgs 0x28231:$a10: KeyLoggerEventArgs 0x10fc1:$a11: KeyLoggerEventArgsEventHandler 0x27de1:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x18cd3f:$a1: get_encryptedPassword 0x18d067:$a2: get_encryptedUsername 0x18cada:$a3: get_timePasswordChanged 0x18cbfb:$a4: get_passwordField 0x18cd55:$a5: set_encryptedPassword 0x18e6b1:$a7: get_logins 0x18e362:$a8: GetOutlookPasswords 0x18e154:$a9: StartKeylogger 0x18e601:$a10: KeyLoggerEventArgs 0x18e1b1:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1844531826.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x492ac:$a1: get_encryptedPassword 0xb66d8:$a1: get_encryptedPassword 0x495c5:$a2: get_encryptedUsername 0xb69f1:$a2: get_encryptedUsername 0x4905b:$a3: get_timePasswordChanged 0xb6487:$a3: get_timePasswordChanged 0x4917c:$a4: get_passwordField 0xb65a8:$a4: get_passwordField 0x492c2:$a5: set_encryptedPassword 0xb66ee:$a5: set_encryptedPassword 0x4abc5:$a7: get_logins 0xb7ff1:$a7: get_logins 0x4a876:$a8: GetOutlookPasswords 0xb7ca2:$a8: GetOutlookPasswords 0x4a668:$a9: StartKeylogger 0xb7a94:$a9: StartKeylogger 0x4ab15:$a10: KeyLoggerEventArgs 0xb7f41:$a10: KeyLoggerEventArgs 0x4a6c5:$a11: KeyLoggerEventArgsEventHandler 0xb7af1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25df8:$a1: get_encryptedPassword 0x26111:$a2: get_encryptedUsername 0x25ba7:$a3: get_timePasswordChanged 0x25cc8:$a4: get_passwordField 0x25e0e:$a5: set_encryptedPassword 0x27711:$a7: get_logins 0x273c2:$a8: GetOutlookPasswords 0x271b4:$a9: StartKeylogger 0x27661:$a10: KeyLoggerEventArgs 0x27211:$a11: KeyLoggerEventArgsEventHandler
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RENH3RE2025QUOTE.exe.31e45ac.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.57c0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.57c0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
5.2.RENH3RE2025QUOTE.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.RENH3RE2025QUOTE.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RENH3RE2025QUOTE.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.RENH3RE2025QUOTE.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
5.2.RENH3RE2025QUOTE.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
0.2.RENH3RE2025QUOTE.exe.31e45ac.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25fff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26327:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25d9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ebb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26015:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27971:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27622:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27414:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x278c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27471:$a11: KeyLoggerEventArgsEventHandler
0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x2a7b7:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data 0x2b5af:$a5: \Kometa\User Data\Default\Login Data
0.2.RENH3RE2025QUOTE.exe.2fc277c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RENH3RE2025QUOTE.exe.2f09e10.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", ParentImage: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe, ParentProcessId: 7412, ParentProcessName: RENH3RE2025QUOTE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", ProcessId: 7604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", ParentImage: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe, ParentProcessId: 7412, ParentProcessName: RENH3RE2025QUOTE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe", ProcessId: 7604, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T11:54:17.802304+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}

Multi AV Scanner detection for submitted file

Source: RENH3RE2025QUOTE.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RENH3RE2025QUOTE.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: RENH3RE2025QUOTE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49740 version: TLS 1.0

Source: RENH3RE2025QUOTE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kRdU.pdbSHA256F source: RENH3RE2025QUOTE.exe
Source:	Binary string: kRdU.pdb source: RENH3RE2025QUOTE.exe

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 4x nop then jmp 01429731h	5_2_01429480
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 4x nop then jmp 01429E5Ah	5_2_01429A30
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 4x nop then jmp 01429E5Ah	5_2_01429D87

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49740 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000304B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000304B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1844531826.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RENH3RE2025QUOTE.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 0_2_02C74204	0_2_02C74204
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 0_2_02C77018	0_2_02C77018
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 0_2_02C7D8EC	0_2_02C7D8EC
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_0142C530	5_2_0142C530
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_01422DD1	5_2_01422DD1
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_01429480	5_2_01429480
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_014219B8	5_2_014219B8
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_0142C521	5_2_0142C521
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Code function: 5_2_0142946F	5_2_0142946F

Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1849425007.00000000057C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000000.1812378155.0000000000B3A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekRdU.exeB vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1844531826.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1844531826.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1852404195.0000000007A10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000000.00000002.1841107915.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3065356676.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3065207448.0000000000D97000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RENH3RE2025QUOTE.exe
Source: RENH3RE2025QUOTE.exe	Binary or memory string: OriginalFilenamekRdU.exeB vs RENH3RE2025QUOTE.exe

Source: RENH3RE2025QUOTE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: RENH3RE2025QUOTE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/6@2/2

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RENH3RE2025QUOTE.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrarqjv3.ors.ps1

Jump to behavior

Source: RENH3RE2025QUOTE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RENH3RE2025QUOTE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000308E000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000309E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RENH3RE2025QUOTE.exe, 00000000.00000000.1812378155.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: RENH3RE2025QUOTE.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RENH3RE2025QUOTE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RENH3RE2025QUOTE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RENH3RE2025QUOTE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kRdU.pdbSHA256F source: RENH3RE2025QUOTE.exe
Source:	Binary string: kRdU.pdb source: RENH3RE2025QUOTE.exe

Source: RENH3RE2025QUOTE.exe

Static PE information: 0xB1537BA4 [Thu Apr 10 07:32:52 2064 UTC]

Source: RENH3RE2025QUOTE.exe

Static PE information: section name: .text entropy: 7.632649271427306

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 8F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 9F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: B170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7009			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2678			Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RENH3RE2025QUOTE.exe, 00000005.00000002.3065356676.00000000011F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Process created: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.31e45ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.31e45ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.2fc277c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.2f09e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1849425007.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1844531826.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3066826345.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.31e45ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.57c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.57c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.31e45ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.2fc277c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.2f09e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1849425007.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1844531826.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3df0790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RENH3RE2025QUOTE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RENH3RE2025QUOTE.exe.3dd9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RENH3RE2025QUOTE.exe PID: 7644, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RENH3RE2025QUOTE.exe	42%	ReversingLabs	Win32.Virus.Virut
RENH3RE2025QUOTE.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000304B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/DataSet1.xsd	RENH3RE2025QUOTE.exe	false	high
http://www.tiro.com	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000304B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RENH3RE2025QUOTE.exe, 00000000.00000002.1844531826.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	RENH3RE2025QUOTE.exe, 00000000.00000002.1850918940.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RENH3RE2025QUOTE.exe, 00000005.00000002.3066826345.000000000302E000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590628
Start date and time:	2025-01-14 11:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RENH3RE2025QUOTE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RENH3RE2025QUOTE.exe, PID 7644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:54:14	API Interceptor	1x Sleep call for process: RENH3RE2025QUOTE.exe modified
05:54:16	API Interceptor	17x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	237025cm.n9shteam.in/UpdatesqlCdn.php
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.masterqq.pro/vfw3/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe
132.226.247.73	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://web.oncentrl.com/#/index/action?entityType=PUBLISHEDQUESTIONNAIRE&entityId=134955&actionType=PUBLISH&context=CLIENT_MGMT&recieverUserInfoId=68822	Get hash	malicious	Unknown	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNH	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://clients.dedicatedservicesusa.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	104.21.3.193
	Remittance.html	Get hash	malicious	Unknown	Browse	104.16.100.29
	http://binary-acceptance-hotel-difficult.trycloudflare.com	Get hash	malicious	Unknown	Browse	104.16.230.132
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Ticketmaster #U00c2#U0156300 Cash2356899.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	Signature Required_ Retail Technology Asia Employee Benefit for eddie.chan@rtasia.com.hk.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
UTMEMUS	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoULF+gZ9tK8NPZHUxL7u1iMugeoPUyus:tLHyIFKEDZ2KRHWLOugYs
MD5:	353496971C4DB83F6E88C3C6E525E348
SHA1:	8B0B4FAA5A39C9064FAE9F4826CC6778A586364D
SHA-256:	ED6F840ADD0BFA7C3EBF6CA4F8F9A7AF135FDAC2145309DC61DA6C00569DD426
SHA-512:	A53736A299F45C8872EFB5BA06D8CAFEAD003B176473DCC4195A383244F3554B5E73F1E2B85AA54BDA0A96D0B362282450131E7B9423E375D9D2EE74AD4FB817
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsgi25rr.ik0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrarqjv3.ors.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqnfkuaq.eub.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztfsmvq1.gt2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.287833441225162
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RENH3RE2025QUOTE.exe
File size:	666'112 bytes
MD5:	330e82d1533a039ed8c68e0c40bf7d61
SHA1:	cfd41e1636eccd3b47ee9cdcdc5351fe3c3cefa7
SHA256:	778f9aa3775f01e8be291052165e046a6344d925f5014d2ebbebd6e46148ae1b
SHA512:	833b63cc35aba672519afdaa36c158d191a609b9d45fa741d83da3906a7fc9aa71834d6cb345a6b6f6f91d5fa83e21117114e01a24575ba4f8891d0f0a552357
SSDEEP:	12288:qYRxA4Y5lyA/BxSPCdSm3uD97XzDNfUt1B2UvMBjDajuyUpoTLKFUN0uUC3d:lRQSfFq2wMxTyUpOLvH3d
TLSH:	13E4CE85E584C501DC691F741832EEB8126BBEA9BD74D20EDBDC3DFB7A732831421A46
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{S...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	1103212484000000

Static PE Info

General

Entrypoint:	0x48b72e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB1537BA4 [Thu Apr 10 07:32:52 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8b6dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x18c80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x89f0c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x89744	0x89800	1d423b03abaafd6cf8e27db535516abe	False	0.8940731534090909	data	7.632649271427306	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x18c80	0x18e00	3188fc6202a10562c0542d10c70fa167	False	0.18880535489949749	data	3.217345828412933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	f31f015f1acf10d36a328d78cec6930f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8c1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 23622 x 23622 px/m	0.3324468085106383
RT_ICON	0x8c658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 23622 x 23622 px/m	0.25117260787992496
RT_ICON	0x8d700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 23622 x 23622 px/m	0.2183609958506224
RT_ICON	0x8fca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 23622 x 23622 px/m	0.19550070854983467
RT_ICON	0x93ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 23622 x 23622 px/m	0.1723796285342482
RT_GROUP_ICON	0xa46f8	0x4c	data	0.75
RT_VERSION	0xa4744	0x350	data	0.4268867924528302
RT_MANIFEST	0xa4a94	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T11:54:17.802304+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:16.857923985 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:54:16.864006042 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:54:16.864093065 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:54:16.864362955 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:54:16.869214058 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:54:17.535399914 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:54:17.541498899 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:54:17.547405958 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:54:17.750349998 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:54:17.761776924 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:17.761836052 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:17.761905909 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:17.770394087 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:17.770428896 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:17.802304029 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:54:18.259969950 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.260045052 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:18.264894009 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:18.264923096 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.265418053 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.317848921 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:18.752768040 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:18.799340010 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.866203070 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.866277933 CET	443	49740	104.21.80.1	192.168.2.4
Jan 14, 2025 11:54:18.866347075 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:54:18.981108904 CET	49740	443	192.168.2.4	104.21.80.1
Jan 14, 2025 11:55:22.760107040 CET	80	49738	132.226.247.73	192.168.2.4
Jan 14, 2025 11:55:22.760247946 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:55:57.755669117 CET	49738	80	192.168.2.4	132.226.247.73
Jan 14, 2025 11:55:57.760591984 CET	80	49738	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:54:16.842586040 CET	56358	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:54:16.850483894 CET	53	56358	1.1.1.1	192.168.2.4
Jan 14, 2025 11:54:17.752717018 CET	65188	53	192.168.2.4	1.1.1.1
Jan 14, 2025 11:54:17.760921955 CET	53	65188	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:16.842586040 CET	192.168.2.4	1.1.1.1	0xd0ec	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.752717018 CET	192.168.2.4	1.1.1.1	0x23ba	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:16.850483894 CET	1.1.1.1	192.168.2.4	0xd0ec	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:54:17.760921955 CET	1.1.1.1	192.168.2.4	0x23ba	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	132.226.247.73	80	7644	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 11:54:16.864362955 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 11:54:17.535399914 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 11:54:17.541498899 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 11:54:17.750349998 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	104.21.80.1	443	7644	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 10:54:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 10:54:18 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 10:54:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2166847 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=apbYrH2C1x5NKVyvWcN6XhEgQ%2BkxYXYSpt7cQFVOd9JOZ9hNZ88P5VsggrayDndcIa4sfUnYGx4PKTA%2Fr%2F9ePMU1gMG3L774SgEz7AZIUCiBRjuK%2ByGWrBW7yFj30WF5So5Rs%2Blf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901d16578ead8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1917&min_rtt=1908&rtt_var=734&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1473259&cwnd=223&unsent_bytes=0&cid=bbd8c5d15d7dc980&ts=617&x=0"
2025-01-14 10:54:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	05:54:12
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Imagebase:	0xaa0000
File size:	666'112 bytes
MD5 hash:	330E82D1533A039ED8C68E0C40BF7D61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1849425007.00000000057C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1845457872.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1845457872.0000000003E17000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1844531826.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:54:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Imagebase:	0xbc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:54:15
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:54:15
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Imagebase:	0xa0000
File size:	666'112 bytes
MD5 hash:	330E82D1533A039ED8C68E0C40BF7D61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:54:15
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\RENH3RE2025QUOTE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RENH3RE2025QUOTE.exe"
Imagebase:	0xb60000
File size:	666'112 bytes
MD5 hash:	330E82D1533A039ED8C68E0C40BF7D61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3065038468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3066826345.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:54:18
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	79
Total number of Limit Nodes:	5

Executed Functions

Function 02C77018 Relevance: 1.4, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp^q, xrefs: 02C771F1

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Pp^q
API String ID: 0-3179448734
Opcode ID: 2099ead39657bad6aa647b74cbe708029c9601b0e467bf3f7db7ea1cab764d47
Instruction ID: b6daceaa46fab82eff26328701c3dd833b2ad7e58f6daf26321a9253420eabb8
Opcode Fuzzy Hash: 2099ead39657bad6aa647b74cbe708029c9601b0e467bf3f7db7ea1cab764d47
Instruction Fuzzy Hash: EB817374E01208DFDB54DFA9D984A9DBBF2FF88300F24852AE419AB369DB346945CF50

Function 02C74204 Relevance: 1.4, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp^q, xrefs: 02C771F1

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Pp^q
API String ID: 0-3179448734
Opcode ID: ee7f2f3223c5dd38c168a187a6642299bf4712fb3170dbf78ab187182059e750
Instruction ID: 4dbabac6bf5d6779996cc37ab4eb73f630ea4ebab7c487ac283710b56845c655
Opcode Fuzzy Hash: ee7f2f3223c5dd38c168a187a6642299bf4712fb3170dbf78ab187182059e750
Instruction Fuzzy Hash: 72817274E01208DFDB54DFA9D984A9DBBF2FF88300F24852AE419A7369DB306945CF50

Function 02C7B3C1 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C7B626

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c35032240b13a763cdfec8fcdc5e2286d0fac2d466f08e2e721f6d1952cd0185
Instruction ID: aaaa64d67c08fe586ee1c146a7e8cf7c137ce79834be29136770b358c8ed99f7
Opcode Fuzzy Hash: c35032240b13a763cdfec8fcdc5e2286d0fac2d466f08e2e721f6d1952cd0185
Instruction Fuzzy Hash: 1A8121B0A00B058FD724DF2AD54479ABBF5BF88318F00896EE48AD7A50DB35E945CF94

Function 02C7590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C759C9

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f5697177bf6df3156ca219275b09e378c49d30afe2bf48e3e407f5d2fece08a4
Instruction ID: bd4e61e64cb2e79c59b1e50435a012f8ed0a77ce666fd74019fef1ccfbead346
Opcode Fuzzy Hash: f5697177bf6df3156ca219275b09e378c49d30afe2bf48e3e407f5d2fece08a4
Instruction Fuzzy Hash: 9C41F1B0C00719CBDB24CFA9C884BDEBBF5BF49304F60806AD408AB250DB756946CF90

Function 02C744F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C759C9

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 12ef9cc7cbcc4048299ec193a311a01bc54eac8083b8fa45958ce11fad731f2d
Instruction ID: ba95c612dece026da19477e42580605fbdd79e66bbc888eefe59741e22c28719
Opcode Fuzzy Hash: 12ef9cc7cbcc4048299ec193a311a01bc54eac8083b8fa45958ce11fad731f2d
Instruction Fuzzy Hash: 1941D1B0C00719CBDB24DFAAC884B9EBBF5BF49314F64806AD408AB255DB756946CF90

Function 02C7B3B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7D586,?,?,?,?,?), ref: 02C7DA4F

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2df33859bb314ce4613301b9b502787f14298c8254d8769384dfeb7362a370be
Instruction ID: 248f1d481b0d05bdf63ed9ba6639b5474508a41b19deab193936f79edb1ecb9f
Opcode Fuzzy Hash: 2df33859bb314ce4613301b9b502787f14298c8254d8769384dfeb7362a370be
Instruction Fuzzy Hash: 8121E5B5900248EFDB10CFAAD584ADEBBF4FF48320F14845AE919A7350D374A950CFA4

Function 02C7D9C1 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7D586,?,?,?,?,?), ref: 02C7DA4F

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a817cc87fc7aa0073d0968f7e9a5b11b84ba036f93fc791527de84df9d78462
Instruction ID: 8f5364ca44b9307b72b456ae146eebca21aae5151d922615d13bcc1f4c716be2
Opcode Fuzzy Hash: 2a817cc87fc7aa0073d0968f7e9a5b11b84ba036f93fc791527de84df9d78462
Instruction Fuzzy Hash: D721E0B5D00218DFDB10CFA9D985AEEBBF4FB48320F14845AE919A3310D374AA40CFA4

Function 02C7B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C7B626

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2552ac99896d718cb55ff22177c0ac157ac52a93757da6fc3a31e3c0af9ffb6c
Instruction ID: a712b18ef2aa887d3588a94857ea4e8ef987b7aef003f7421e2a7f220a0794f1
Opcode Fuzzy Hash: 2552ac99896d718cb55ff22177c0ac157ac52a93757da6fc3a31e3c0af9ffb6c
Instruction Fuzzy Hash: D6110FB5C002498FCB14CF9AC844ADEFBF4EF88324F10846AD919A7210C375A645CFA5

Function 0141D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68245fe8ab812586c0a9c962bf06182666ad002c3c372ac7820e804351708a
Instruction ID: 68f036188d99ac3089524e5b71797edc71a0e472b5b027589d4dccaf7c5e90e6
Opcode Fuzzy Hash: 5e68245fe8ab812586c0a9c962bf06182666ad002c3c372ac7820e804351708a
Instruction Fuzzy Hash: 8B2108B1904200DFDB05DF98D9C8B67BF65FB88320F20C56AED150B26AC336D416CB61

Function 0141D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da375943914215794acfadb243d92de2b9149f78c3a86a25d168845904a98ba6
Instruction ID: bcdd11a1e915f18780ec83e12676f569812fd8428238e5a74d5e8c488b6fe11f
Opcode Fuzzy Hash: da375943914215794acfadb243d92de2b9149f78c3a86a25d168845904a98ba6
Instruction Fuzzy Hash: F12136B1940204DFDB05DF48D9C8B57BF65FB88314F20C17AE9090B36AC336E446CAA1

Function 0142D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843935234.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bb2fac9edb481ac6806eb0d6465861f3bb37c41a5f57ff993c1cae91d08ecc
Instruction ID: 71f19ea00b18ce6e1e7cd1eeaee42c38abf9f1db18c919d7693fb05596186b06
Opcode Fuzzy Hash: b2bb2fac9edb481ac6806eb0d6465861f3bb37c41a5f57ff993c1cae91d08ecc
Instruction Fuzzy Hash: 63212671904200EFDB05DF98D9C4B26BBA5FB85324F60C6AEE9094B366C736D486CA71

Function 0142D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843935234.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c1a9a450fede9dfa30704269b106427e62c9090d8e8032ffc46d4a553a8b99
Instruction ID: e03af31991ce5c25d1c9fd0fa7a55ef9a64fec56ba2c0dbf6bb9526cd1b8cc30
Opcode Fuzzy Hash: a2c1a9a450fede9dfa30704269b106427e62c9090d8e8032ffc46d4a553a8b99
Instruction Fuzzy Hash: E32122B1A04240DFCB15DF58D984B26BFA5EB84318F60C56ED90A4B3B6C33AD487CA61

Function 0142D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843935234.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4394392a183ac4872418aa7ebc06367bcccac4addd0eddce7cbd38f46db48ec4
Instruction ID: bd34ee4d76c020e4c21b95bc6b6ceae13155194b1ca673a01255fe98493df376
Opcode Fuzzy Hash: 4394392a183ac4872418aa7ebc06367bcccac4addd0eddce7cbd38f46db48ec4
Instruction Fuzzy Hash: 1D2180755093808FDB13CF24D594716BF71EB46218F28C5DBD8498F6A7C33A984ACB62

Function 0141D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: e185427eb7ef7a9a28c249b672301f96fc4070203ecc26e723beaa8489d7baa2
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 2A21B4B6904240DFDB16CF54D9C4B56BF71FB84324F24C5AADD090B66AC336D416CB91

Function 0141D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 032cbecd9d0f39893e3fb87c143c61015a655bf4abb7bc867ae7aed4efecad35
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0811D2B2844240CFDB16CF44D5C4B56BF71FB94314F24C6AAD9090B26AC33AD456CB91

Function 0142D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843935234.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_142d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 44f4e573bd2c65f73d0ffe417039305df87d802bb2ff670f2f3407fd1257798c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5311BB75904280DFDB02CF54C5C4B16BFA1FB85224F24C6AAD8494B3A6C33AD44ACB61

Function 0141D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f0908ec2785f411385bf0f7ad9b11652a76b27d9b212f3677a903c4b5a8fc
Instruction ID: 2438ed8f2901c44b6690ab50513571e2778af6a864c932360358a867e2908f4b
Opcode Fuzzy Hash: b45f0908ec2785f411385bf0f7ad9b11652a76b27d9b212f3677a903c4b5a8fc
Instruction Fuzzy Hash: 5C0120B140438099F7115E59CDCC767FF9CDF41324F08C52BED194A25AD679D441C6B1

Function 0141D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1843833509.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004aa228e9914452bf764b9c53f37a1989aeb714c8c9bc02dd4d9daeee87a9d3
Instruction ID: af8eba2bb5b574c6bff9fe1eae722c30fcbb0031d6804bbc3d8835e075fa738b
Opcode Fuzzy Hash: 004aa228e9914452bf764b9c53f37a1989aeb714c8c9bc02dd4d9daeee87a9d3
Instruction Fuzzy Hash: 38F06275404384AAE7119E5ACCC8B63FFA8EF51734F18C45AED184A29AC2799844CAB1

Non-executed Functions

Function 02C7D8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1844346371.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c70000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c3577f85de8afa0d8609cc8c4afd739fd362d352c2168cb584a8cdecb8b6e3
Instruction ID: 691cd81299d5c1ed9cd5db1ce808f5efc9ea3b3f7bff17ff9266af40d19dffc9
Opcode Fuzzy Hash: a7c3577f85de8afa0d8609cc8c4afd739fd362d352c2168cb584a8cdecb8b6e3
Instruction Fuzzy Hash: ECA16032E00205CFCF05DFB5C8809AEBBB2FF85314B15856AE806AB265DB71E956CF40

Analysis Process: RENH3RE2025QUOTE.exePID: 7644, Parent PID: 7412COMMON

Executed Functions

Function 014219B8 Relevance: 8.5, Strings: 6, Instructions: 988COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01421A76
Xbq, xrefs: 01421B2F
Xbq, xrefs: 01421B7C
Xbq, xrefs: 01421AB0
Xbq, xrefs: 01422CBE
Xbq, xrefs: 01422C95

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 6c66c7f87f4b91bf4aa647573a2c4c3d24f454ec614cf4c6dbc55440bbe92971
Instruction ID: 529b5ed382e2f0a77d8b74be4abae39a023e660cbca020232fa8f8e4bfa9907d
Opcode Fuzzy Hash: 6c66c7f87f4b91bf4aa647573a2c4c3d24f454ec614cf4c6dbc55440bbe92971
Instruction Fuzzy Hash: 227258319983528BC7A1CF6484421A9FBF2FBD2230B1AD79EC0C64A952D77D9C978B41

Function 0142C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0142F910

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 7fea8a763773603c9f424846f2baab4982ce1b028f1a32248e781683accc148b
Instruction ID: 350a85364455a357e8d86b7ecbd90abb2cb77bcaca52a220f2c36a3e3b0dbb9e
Opcode Fuzzy Hash: 7fea8a763773603c9f424846f2baab4982ce1b028f1a32248e781683accc148b
Instruction Fuzzy Hash: 2273E631D10B5A8EDB11EF68C854A99FBB1FF99300F51D69AE44877221EB70AAC4CF41

Function 01422DD1 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01422E0F
$^q, xrefs: 01422DF6

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 6d92e3ec90792714af9cc72ef5248d886f77568ff0338c3f6be7621c7430cde9
Instruction ID: aaee5481332f9cbb13402f30f96b0a314c7e15f3d8a0ad8303ac2b4ad275c5fe
Opcode Fuzzy Hash: 6d92e3ec90792714af9cc72ef5248d886f77568ff0338c3f6be7621c7430cde9
Instruction Fuzzy Hash: BB91A774B00254DBDB28DF78845427EBBB7BFC8704B44892EE546EB398DE39C8428795

Function 01429480 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37857fd34e14f6d1af9067ed1492d2cd716460df81541a3b919fa0be8bec9dd0
Instruction ID: da395a71830d9b18b5174fafdf25e67d49c5bac138277c7de9a906ca50e7f9ac
Opcode Fuzzy Hash: 37857fd34e14f6d1af9067ed1492d2cd716460df81541a3b919fa0be8bec9dd0
Instruction Fuzzy Hash: B6C1A274E01218CFDB14DFA9D994B9DBBB2FF88304F1485AAD809A7364DB359A85CF10

Function 0142C521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bcaee0ae7b15796c96906a43901bf0e6f2b53fb5a188ecfd6c3274429694c6
Instruction ID: 64920551e9bfa46427153c9725ab8d8a860c6951687eb9bce3053157aba6178e
Opcode Fuzzy Hash: 67bcaee0ae7b15796c96906a43901bf0e6f2b53fb5a188ecfd6c3274429694c6
Instruction Fuzzy Hash: 53A11571D016298EDB10DFA9C8946DDFBB1FF89310F54C2AAE408A7261EB709AC5CF41

Function 01429A30 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0850fca134f2ff99ff7da6fa3fc1f53c42e2eb28b2d135d232f4d7fe278d2769
Instruction ID: 611fb377938864caa7c7ead64661a868d771df77c719ad993805706636273d6f
Opcode Fuzzy Hash: 0850fca134f2ff99ff7da6fa3fc1f53c42e2eb28b2d135d232f4d7fe278d2769
Instruction Fuzzy Hash: 27A10370D002188FEB14DFA9C598BDDBBB1FF88304F20926AE509AB3A1DB745985CF50

Function 01429D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff63f2703b2567bbfb893ee94f33630c656b9c82da7031e89642005d030989b6
Instruction ID: a4190ddc082792aba0a7fa83a3e6f4e5b02e64baa4755630f367ba36627b6429
Opcode Fuzzy Hash: ff63f2703b2567bbfb893ee94f33630c656b9c82da7031e89642005d030989b6
Instruction Fuzzy Hash: B491E370D00228CFEB14DFA8C588BDDBBB1FF49314F20925AE519AB2A1DB749985CF14

Function 0142946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b592286198a88dbb3006cd6458f125fac6ff422fb1163670a17d0a3f9d16a498
Instruction ID: 659bdfd0df545dd7800d9991c959ae8de1b929e7c1cb9f00fecb33091dd9c4c6
Opcode Fuzzy Hash: b592286198a88dbb3006cd6458f125fac6ff422fb1163670a17d0a3f9d16a498
Instruction Fuzzy Hash: F441E274E01258CBEB18CFAAD4546DDBBF2BF89304F24D02AD819AB364DB344946CF50

Function 0142B500 Relevance: 6.6, Strings: 5, Instructions: 386COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0142B6EA
TJcq, xrefs: 0142B97A
Hbq, xrefs: 0142B54E
Hbq, xrefs: 0142B749
8cq, xrefs: 0142B941

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: cf3161ec63ee41f3a85b5a16ee5b83e0ff43cbc7ae1669af942f59e95a6eaddd
Instruction ID: bd284025862a22ae20d421f444579e9771277826e226bda1654ecc9b489c6ea6
Opcode Fuzzy Hash: cf3161ec63ee41f3a85b5a16ee5b83e0ff43cbc7ae1669af942f59e95a6eaddd
Instruction Fuzzy Hash: 03D1E731B002148FDB15DF6CC494AAE7BB6FF88320F64456AE505EB3A1CA35DC86CB51

Function 01423F78 Relevance: 6.4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

Strings

Ljep, xrefs: 01424088
PH^q, xrefs: 014240F2
PH^q, xrefs: 014240E1
Ljep, xrefs: 01424078
0oep, xrefs: 01423FDA

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: 0oep$Ljep$Ljep$PH^q$PH^q
API String ID: 0-3389534153
Opcode ID: 427ceddaea821b88b33fe983dbf479793734daf5d910d7d839f9c79ed747bd2b
Instruction ID: 5588660e47b65199d65cf56e02e14ad0eea532659d730e65250aa88b216031f9
Opcode Fuzzy Hash: 427ceddaea821b88b33fe983dbf479793734daf5d910d7d839f9c79ed747bd2b
Instruction Fuzzy Hash: A851C574E00218DFDB48DFA9D59499DBBF2FF89310F14842AE815AB364DB749885CF10

Function 0142AD3D Relevance: 5.6, Strings: 4, Instructions: 563COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0142B1D3
Hbq, xrefs: 0142B239
, xrefs: 0142B065
Hbq, xrefs: 0142B206

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: 44158fb941920f0f026c1347a8dc74ea5d61a60886ce6e1207414a871d712359
Instruction ID: dd91f2b22174d91462e252744cf752e12e7e4a945f837b2886516fecc06771ec
Opcode Fuzzy Hash: 44158fb941920f0f026c1347a8dc74ea5d61a60886ce6e1207414a871d712359
Instruction Fuzzy Hash: 85A106307042248FDB265F7C985866E7BA2FF89364F64462AE922DB3E1CF359C41C751

Function 0142B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

TJcq, xrefs: 0142B97A
8cq, xrefs: 0142B941

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 3310de253cca9a59bd940599faae8e0ab1fd6ac0a0fc66fcd8875bb673d71ce0
Instruction ID: 7c49095792be9b91fe8d24e3699c6af8f1e1748c33c72db4adcea3314c05ff7e
Opcode Fuzzy Hash: 3310de253cca9a59bd940599faae8e0ab1fd6ac0a0fc66fcd8875bb673d71ce0
Instruction Fuzzy Hash: 74310635B401198FCB05EFA8C580E9EBBB2FF88220F555495E505AB375CA70EC85CB91

Function 0142B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

TJcq, xrefs: 0142B97A
8cq, xrefs: 0142B941

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 1e8b589c176a1df2aba3a07f77a86401676a07ef262491748b2cf3f635cf971b
Instruction ID: 62ab51135416abe2094925fe416d8d33a09a92743d1277f59b6d2ab920dbddda
Opcode Fuzzy Hash: 1e8b589c176a1df2aba3a07f77a86401676a07ef262491748b2cf3f635cf971b
Instruction Fuzzy Hash: 4B313735B401198FCB05EFA8C980E9EBBB2EF88320F654495E505AB375CA70EC85CB91

Function 01420B20 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01420B62

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: befb30ec1d9405142e804ae23637a7b7b8739fd8e1f8c9a96495cf3413496611
Instruction ID: f00593ab768746d0c47907684ebbbaae87c6de50891d1c70dae5329fe002b95d
Opcode Fuzzy Hash: befb30ec1d9405142e804ae23637a7b7b8739fd8e1f8c9a96495cf3413496611
Instruction Fuzzy Hash: E8A1FEB4A4020EDFCB15EFA8E9D499DBBB1FB48305B104539E415AB369EB30AD45CF90

Function 01420B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01420B62

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a845b47217163d10a35f7ac3407b02d8248046ccfb8f3d8ae48af2ae9c35d03c
Instruction ID: 335246aa07fa032ec9e1d0f69f3c3cff318e98485275f2992f86cd659cff561c
Opcode Fuzzy Hash: a845b47217163d10a35f7ac3407b02d8248046ccfb8f3d8ae48af2ae9c35d03c
Instruction Fuzzy Hash: D5A1CBB4A4020EDFCB15EFA8E9D499DBBB1FB48305B104529E415AB369EB30AD45CF90

Function 0142BC98 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0142BD2D

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 5259ea58e0731bd6fc8474d40e5b46ea525007698a14a7138cae14a069f3d872
Instruction ID: d35b480b943050baf1766cab76cf99a8bca9e34833e4c406d40baea67ad2010b
Opcode Fuzzy Hash: 5259ea58e0731bd6fc8474d40e5b46ea525007698a14a7138cae14a069f3d872
Instruction Fuzzy Hash: B031C531A042099FCB04EF79D855AAE7FF6EF99200B54447EE909DB351DE309D46C790

Function 0142BDD9 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0142BE36

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 393d3bccbcc6c08503a74431ce18f56c1a4f86479bf6d1799c65e8217b6f649c
Instruction ID: 81fd17b1360b43debffd0eacaf507dd2a1dcf62c87773addd3bedf3725365643
Opcode Fuzzy Hash: 393d3bccbcc6c08503a74431ce18f56c1a4f86479bf6d1799c65e8217b6f649c
Instruction Fuzzy Hash: C52101306041499FCB09DF7DC990AAE7FB6FF89310F65806AE9058B3A5CE308D46C790

Function 0142BF6F Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f6e1ef0f63472edbb57502dc9c9dc9f5be98bf46681635020b3a77ca08f005
Instruction ID: 736fccfb57b9691bdfb4b5f5ca2b2a3ec0bf03b792cbef826589b0f48cf6c901
Opcode Fuzzy Hash: 21f6e1ef0f63472edbb57502dc9c9dc9f5be98bf46681635020b3a77ca08f005
Instruction Fuzzy Hash: 0F5125B2B002159FCB148ABDDC84AAFBBB9EBC9320F54853FE519D7760D635D8418760

Function 01423158 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354c0c8fae4844ed28cea072c34212fd9ad5e29a3ef83da91a58f4498ceb3db8
Instruction ID: cdeb663e1c93f80a2e188e18582631d251a163a3b917cf201f4bf0d5f79b9c4b
Opcode Fuzzy Hash: 354c0c8fae4844ed28cea072c34212fd9ad5e29a3ef83da91a58f4498ceb3db8
Instruction Fuzzy Hash: 1641C274E01218DFDB58DFAAD98499DBBF2BF89310F24942AE805BB364DB349841CF14

Function 01423168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68912b12f211a646a937475170c605b5d0d2eba7bfb2af4f648fd487acd85933
Instruction ID: edcc79d67d4afbbf0a20a3ff2342e71b2d3aaded55e6973f04aae8480020bf5f
Opcode Fuzzy Hash: 68912b12f211a646a937475170c605b5d0d2eba7bfb2af4f648fd487acd85933
Instruction Fuzzy Hash: 3241C274E01218DFDB18DFAAD49499DBBF2BF89300F24942AE805BB364DB349841CF14

Function 01429249 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a650870180b43d3d293c576288cbb5d7665f9a7cdfe6b17c628dc9ac2acfc3c
Instruction ID: 6a2c6842f744fbb8de7e17f33a0a3b765cfced3c4a7c27240326ffbb0702b52b
Opcode Fuzzy Hash: 7a650870180b43d3d293c576288cbb5d7665f9a7cdfe6b17c628dc9ac2acfc3c
Instruction Fuzzy Hash: 6D31AD3003A60A8FD34C7B21A9AE3BABFA4FF4F363B04AD41F54A80524AF3040488F54

Function 014218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5654f6657c166be5222a192f7522b4f04df7f231a86e6a97f36a2a1eb08a071e
Instruction ID: 8860ea763e3e2cf1e00d4290ebe7dca1b617477d1510fe4cd082f4c36d678ad9
Opcode Fuzzy Hash: 5654f6657c166be5222a192f7522b4f04df7f231a86e6a97f36a2a1eb08a071e
Instruction Fuzzy Hash: 4D21F471B00116AFCB14DF34C4409AF37A4EB89654B50C41ED84E9B350EA35EA46CBD2

Function 013DD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3065997777.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13dd000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1ce400f5472dfb11cf757e0a7b0e974bb2420cef4908d091201e3716b68472
Instruction ID: 7ed2f304775f434c3e2bc57e87a204820a62eede97e531eb4aec8e5e3adfa9ac
Opcode Fuzzy Hash: ec1ce400f5472dfb11cf757e0a7b0e974bb2420cef4908d091201e3716b68472
Instruction Fuzzy Hash: BE210472504204DFDB15DFA8E9C0B26BBA5FBC4318F24C56DD9094B696C33AD447CA62

Function 01420EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c3ea9c669e3282c4310ea5eb6656211ca30236863814e3441696b753b14e49
Instruction ID: 778e7aa225232fd7f81aaed62680dd48609e622df027048cfd10236a78a934d0
Opcode Fuzzy Hash: 05c3ea9c669e3282c4310ea5eb6656211ca30236863814e3441696b753b14e49
Instruction Fuzzy Hash: B3216A78A402199FCB05EFB9D4506AEBBB2FF84308F10C4AED405AB764DB748A85CF41

Function 013DD006 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3065997777.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13dd000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee5c0efc421fe7ecf4e1180bc3bc94adc332228520b69105a71c643107262a
Instruction ID: 7b8cc40aca61ff137973af76f823828a103c9637470f7c3a485cff19c4cb5930
Opcode Fuzzy Hash: c6ee5c0efc421fe7ecf4e1180bc3bc94adc332228520b69105a71c643107262a
Instruction Fuzzy Hash: 71218E7650D3C08FDB13CF64D990715BF71AB46214F28C5DBD8898F6A7C23A980ACB62

Function 0142BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac72163bbc58048c0fe80c3694f78a26d88d113874e68a0c50b76f396d72bf3
Instruction ID: a5f91d9387a54aaf8e575339e194ea3f41dedac190259eb739d50ef5fcf5376a
Opcode Fuzzy Hash: 4ac72163bbc58048c0fe80c3694f78a26d88d113874e68a0c50b76f396d72bf3
Instruction Fuzzy Hash: 1911BC727002108FC724DB29E988A56BBE6FF88720B10807AE20ACB735CA71EC44CB10

Function 014217B8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bcedd97bfbab3e0ea1e877be3e56b103aa1ec52eaede52d0231ed7602f34ea
Instruction ID: ff53fd0c7318e60105898be80c39fd8a0bfa6a6807740f90c3961f0ca2a81f53
Opcode Fuzzy Hash: d8bcedd97bfbab3e0ea1e877be3e56b103aa1ec52eaede52d0231ed7602f34ea
Instruction Fuzzy Hash: 42210470D0525A8FCB11DFA9D9945EEBFF0FF4A304F04416AD405BB265EB305A89CBA1

Function 0142C108 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94edcc934916d17602c2586849f37ba2f4206fe3014e95ad96fa761eb6e592a
Instruction ID: 1ed5f0c3bb7f37c36d4590a6c7e22c261da572787ada077f0f53fe3f5d7f7c5b
Opcode Fuzzy Hash: f94edcc934916d17602c2586849f37ba2f4206fe3014e95ad96fa761eb6e592a
Instruction Fuzzy Hash: FD11A035E002258BCB24EFBD94855AEBFF1AF88250BA4453AD509E3310DB319C828BE5

Function 01424850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8157b103747d5e84fd30b7fc5d21a8dee7f9aea36421a76735659b0adccb3ac6
Instruction ID: 52148dcd4b0f18ef72b9a0d0c79818441705386d73b3ced1ba0e775d84855eb7
Opcode Fuzzy Hash: 8157b103747d5e84fd30b7fc5d21a8dee7f9aea36421a76735659b0adccb3ac6
Instruction Fuzzy Hash: 4701F536B003115FE7249AB9880866B76E7EFC5224316847AC509CB325FEB0C8468792

Function 01424860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa47a7419101a46bbda0e6ce0e96c15128759c6fa895172e4bf9d2d8080ab471
Instruction ID: d5855bf42264d88e6c670548e7844ca57e5d96dda557cf2bdc24182d6dd531d7
Opcode Fuzzy Hash: aa47a7419101a46bbda0e6ce0e96c15128759c6fa895172e4bf9d2d8080ab471
Instruction Fuzzy Hash: BF01D636B002115FE724AB79884863F76EBEFC5524355847AD909CB328FEB0C8058792

Function 0142BEE9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbdaa853f6ac0d67a8b9e8acb1a2627c8289e1f914f8792911a5a055369dfb
Instruction ID: 2f3b49ad291b57bc672a8e59e6543032cef712e481091a2b4a44c8fc8cfc7e64
Opcode Fuzzy Hash: 06bbdaa853f6ac0d67a8b9e8acb1a2627c8289e1f914f8792911a5a055369dfb
Instruction Fuzzy Hash: E90147316083589FCB151B789C198AE3FA6EFC9310B064467FA0ACB3A2CE35CC01C751

Function 0142A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec811ab9c109e9cdff347b80f8c4dfcfe5099242f8ec8e71b18a9ce11b37504
Instruction ID: 68dc5e7c1ee9fb6a3b40f45a24a9dbcb68626af2fb99f91b11f6d4bae4d67272
Opcode Fuzzy Hash: 7ec811ab9c109e9cdff347b80f8c4dfcfe5099242f8ec8e71b18a9ce11b37504
Instruction Fuzzy Hash: BC018C71E002199FCB189F69D8496AF7FB5EF88350B50442AF91A93250DF348D10CBA1

Function 0142A4F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed976a4bd0d7d25f4959b30f5543cbfb57b9d5aa7ff0da8c975689ca155c9ce
Instruction ID: 4cab855f93d7288f3598ef0e89de9544e1cbc7963ee16bede550e673eaa29cf0
Opcode Fuzzy Hash: 3ed976a4bd0d7d25f4959b30f5543cbfb57b9d5aa7ff0da8c975689ca155c9ce
Instruction Fuzzy Hash: D0015A72A0411AAFCB14DFA8D845AEF7FB5EB88210B50412AF959D3251DB308955CB92

Function 0142C1A0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a164e4848dcfea8166b08ec38062308c1ea8144286e9b962fb923ebd3783b2
Instruction ID: 8e56f026f9b805a7108a3436b85d3847a07e59a4c8616be89bb5ebcbc2d546a5
Opcode Fuzzy Hash: 06a164e4848dcfea8166b08ec38062308c1ea8144286e9b962fb923ebd3783b2
Instruction Fuzzy Hash: 50F0E976B045214BCB19567DE4557ADB7A5EFD4231B24007BE509E7360CE35DC428750

Function 0142B9E9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b497b166a7994ead1f2a65be8cd1260e51c8dea2bcca5545d194d11f74a1343
Instruction ID: 5611ca1d5af526c8bee21e569c92d4b9b32d86779c3218e602700b7aa802a0ee
Opcode Fuzzy Hash: 1b497b166a7994ead1f2a65be8cd1260e51c8dea2bcca5545d194d11f74a1343
Instruction Fuzzy Hash: 1AF0C275D00208AF8B10DFB995409EFBBF6FF48210B14813BE949D3214E6749A468BA2

Function 0142BE98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb936141f68d18ecc07fd7f45d75e1639a6f7f4e121ca5c3002c4b34385f7ca3
Instruction ID: 1b7ad2ee55fabb4591dc2cf046f370d53208163d6111c35eda1a23cb2f9c57ac
Opcode Fuzzy Hash: eb936141f68d18ecc07fd7f45d75e1639a6f7f4e121ca5c3002c4b34385f7ca3
Instruction Fuzzy Hash: 30F05E35300115DFC701CF69D888D6ABBEAFF88721754806AFA0987331CB719C51CB80

Function 014246C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eea661f7dda09dba806e544b111f83f97d16e366118df1bb11ef971fe163c1
Instruction ID: 943fbe2fa6ee11d6abcb65160866a3dec302a1debd695fc038972173096223f6
Opcode Fuzzy Hash: 52eea661f7dda09dba806e544b111f83f97d16e366118df1bb11ef971fe163c1
Instruction Fuzzy Hash: 34F09231027342CFD7222B60B9AC23A7F7AEB0B323B486D86E00AC546ACB714458CB11

Function 014246D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486f35bb3e04abc2fafc31f55c76d04d62862aaf755dab963c8da936b22dd5d5
Instruction ID: 7778610b445929cac7e65d1859382938e23c034127c061d999019804aba5a5fc
Opcode Fuzzy Hash: 486f35bb3e04abc2fafc31f55c76d04d62862aaf755dab963c8da936b22dd5d5
Instruction Fuzzy Hash: 11E0FE34023306CBE7322B65B5AC63ABABAEB0B323F847D01B11E814298F704488CB54

Function 01421877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ad3d617bd4f54c51cd1e2d6836d6727ab5246837ef81e2d1a14042cc6c7806
Instruction ID: 6df5a63ce07a4c47ef5a351f8d220af83edafe62e44ac635cb67cd05b3d92750
Opcode Fuzzy Hash: b3ad3d617bd4f54c51cd1e2d6836d6727ab5246837ef81e2d1a14042cc6c7806
Instruction Fuzzy Hash: BDE0DF36E503268BC701AFB4EC100DDB334AE82264B054263C0A836190EB30169ECBA2

Function 01421888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabe3b3a40a3e580b0934e3204dbedfc0f4adc5b322d351735053653666399c2
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: cabe3b3a40a3e580b0934e3204dbedfc0f4adc5b322d351735053653666399c2
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0142BF48 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f217f10e9abd175fc2a14fac45279a4db1157879a595b94e8e7787877a66dca5
Instruction ID: d434a5807dba974dcc50e9afd4dc0d0f70e1cf6a2500afe11fb37d6c67a48f52
Opcode Fuzzy Hash: f217f10e9abd175fc2a14fac45279a4db1157879a595b94e8e7787877a66dca5
Instruction Fuzzy Hash: FED0C736714114674B091A59E8058EE7F6EE7CD7717148026F91583350CE714D1197D5

Function 01424831 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f364e826a923d73fc9cfc8a3c9df50a3030f66202073db04244683483d3cd5
Instruction ID: 2b4438544edd0f9443a4bd6b61a5778f01fad4ec89d7cb7dbab057f4a2ab2ea6
Opcode Fuzzy Hash: c8f364e826a923d73fc9cfc8a3c9df50a3030f66202073db04244683483d3cd5
Instruction Fuzzy Hash: F0C02B3104D3D0CFCF63076088160A13FF0EE4332170204CFC0818900BF21C0A08CB1A

Non-executed Functions

Function 01421A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01421A76
Xbq, xrefs: 01421B2F
Xbq, xrefs: 01421B7C
Xbq, xrefs: 01421AB0

Memory Dump Source

Source File: 00000005.00000002.3066281150.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1420000_RENH3RE2025QUOTE.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 25148811b6d1286ba1d0212e1ea70533050cfb66b6fbeac405db5d6c49037d70
Instruction ID: 8c196ae7b6d76f8efe636581cb114adcf94456079caa12e295cfadb4a38802e9
Opcode Fuzzy Hash: 25148811b6d1286ba1d0212e1ea70533050cfb66b6fbeac405db5d6c49037d70
Instruction Fuzzy Hash: FF31A430E0022A8BDF658BAD85503BFBBF6AF84710F55407BC509A7365EB7089C1CB92

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RENH3RE2025QUOTE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RENH3RE2025QUOTE.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsgi25rr.ik0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrarqjv3.ors.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqnfkuaq.eub.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztfsmvq1.gt2.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
RENH3RE2025QUOTE.exe

Function 02C77018 Relevance: 1.4, Strings: 1, Instructions: 177
COMMON

Function 02C74204 Relevance: 1.4, Strings: 1, Instructions: 176
COMMON

Function 02C7B3C1 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 02C7590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 02C744F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02C7B3B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02C7D9C1 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Function 02C7B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre