Edit tour
Windows
Analysis Report
Image Quote 011698.exe
Overview
General Information
| Sample name: | Image Quote 011698.exe |
| Analysis ID: | 1501083 |
| MD5: | 94c86f3cce220982807b72d29661c971 |
| SHA1: | 272c1496f143a9100bc98c92871cfd272f053b3b |
| SHA256: | 131e90fc74d13419eca131909b92daab5a260bfbdbb8dfe1c31dafa16d224705 |
| Tags: | exe |
 | |
Detection
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Image Quote 011698.exe (PID: 7960 cmdline: "C:\Users\ user\Deskt op\Image Q uote 01169 8.exe" MD5: 94C86F3CCE220982807B72D29661C971)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
System Summary | |
|---|
| Source: | String found in binary or memory: | memstr_12755b49-8 | |
| Source: | String found in binary or memory: | memstr_bb84c96a-b | |
| Source: | String found in binary or memory: | memstr_848e5001-e | |
| Source: | String found in binary or memory: | memstr_929d7af1-9 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00FC8060 | |
| Source: | Code function: | 0_2_01032046 | |
| Source: | Code function: | 0_2_01028298 | |
| Source: | Code function: | 0_2_00FFE4FF | |
| Source: | Code function: | 0_2_00FF676B | |
| Source: | Code function: | 0_2_01054873 | |
| Source: | Code function: | 0_2_00FCCAF0 | |
| Source: | Code function: | 0_2_00FECAA0 | |
| Source: | Code function: | 0_2_00FF6DD9 | |
| Source: | Code function: | 0_2_00FDAFAC | |
| Source: | Code function: | 0_2_00FC91C0 | |
| Source: | Code function: | 0_2_00FE1394 | |
| Source: | Code function: | 0_2_00FDB731 | |
| Source: | Code function: | 0_2_00FE1706 | |
| Source: | Code function: | 0_2_00FE781B | |
| Source: | Code function: | 0_2_00FE19B0 | |
| Source: | Code function: | 0_2_00FD997D | |
| Source: | Code function: | 0_2_00FC7920 | |
| Source: | Code function: | 0_2_00FE7A4A | |
| Source: | Code function: | 0_2_00FE7CA7 | |
| Source: | Code function: | 0_2_00FE1C77 | |
| Source: | Code function: | 0_2_00FF9EEE | |
| Source: | Code function: | 0_2_0104BE44 | |
| Source: | Code function: | 0_2_00FCBF40 | |
| Source: | Code function: | 0_2_00FE1F32 | |
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | Static file information: | ||
| Source: | Code function: | 0_2_00FE0A89 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00FD9339 | |
| Source: | Code function: | 0_2_00FE4CE8 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00FE0698 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 Process Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 2 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 55% | ReversingLabs | Win32.Trojan.Generic | ||
| 33% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1501083 |
| Start date and time: | 2024-08-29 12:10:36 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 15s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Image Quote 011698.exe |
| Detection: | MAL |
| Classification: | mal64.winEXE@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target Image Quote 011698.exe, PID 7960 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.051078738685901 |
| TrID: |
|
| File name: | Image Quote 011698.exe |
| File size: | 1'524'736 bytes |
| MD5: | 94c86f3cce220982807b72d29661c971 |
| SHA1: | 272c1496f143a9100bc98c92871cfd272f053b3b |
| SHA256: | 131e90fc74d13419eca131909b92daab5a260bfbdbb8dfe1c31dafa16d224705 |
| SHA512: | 6af53b4a481dd56c25ea3dcb29cb135f5dafdbd74df4a19cf6238c5cb10579f79af6d133e25a3a852ff6da86eb6d717ef52c6aa01b7a2075e7ef8fa6d21e441b |
| SSDEEP: | 24576:3qDEvCTbMWu7rQYlBQcBiT6rpFd+zt1F0AsqTiT+n9DGBMXGawu:3TvC/MTQYxsWPkzt1bsqT8+nNGBYG |
| TLSH: | 0265D00273919056FE9B86338F56E1124B78AE260133E52F13993D7ABE701B1563E7B3 |
| File Content Preview: | MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z.... |
 | |
| Icon Hash: | 0f71f8a8b0586917 |
| Entrypoint: | 0x420577 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66CD1636 [Mon Aug 26 23:56:38 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | cc2b3e63a50ba98c3412285dee7a8f0b |
| Instruction |
|---|
| call 00007F4E0D08FFF3h |
| jmp 00007F4E0D08F8FFh |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F4E0D08FADDh |
| mov dword ptr [esi], 0049FDF0h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FDF8h |
| mov dword ptr [ecx], 0049FDF0h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F4E0D08FAAAh |
| mov dword ptr [esi], 0049FE0Ch |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 0049FE14h |
| mov dword ptr [ecx], 0049FE0Ch |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| and dword ptr [eax], 00000000h |
| and dword ptr [eax+04h], 00000000h |
| push eax |
| mov eax, dword ptr [ebp+08h] |
| add eax, 04h |
| push eax |
| call 00007F4E0D09269Dh |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| lea eax, dword ptr [ecx+04h] |
| mov dword ptr [ecx], 0049FDD0h |
| push eax |
| call 00007F4E0D0926E8h |
| pop ecx |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 0049FDD0h |
| push eax |
| call 00007F4E0D0926D1h |
| test byte ptr [ebp+08h], 00000001h |
| pop ecx |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc8e64 | 0x17c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xd4000 | 0x9d924 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xc3400 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xb1010 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x9ab1d | 0x9ac00 | 0a1473f3064dcbc32ef93c5c8a90f3a6 | False | 0.565500681542811 | data | 6.668273581389308 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x9c000 | 0x2fb82 | 0x2fc00 | 8ae61a6e350a533e2f54998957fa045d | False | 0.3416281495418848 | data | 5.6093546346262535 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xcc000 | 0x706c | 0x4800 | 53b9025d545d65e23295e30afdbd16d9 | False | 0.04356553819444445 | DOS executable (block device driver @\273\) | 0.5846666986982398 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xd4000 | 0x9d924 | 0x9da00 | 9442baa6265f494057657b59dfa7e366 | False | 0.797404713521015 | data | 7.602100947969714 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x172000 | 0x7594 | 0x7600 | e0469d25efc50f58b71e2d65b015ddb5 | False | 0.0017213983050847457 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xd4608 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.7466216216216216 |
| RT_ICON | 0xd4730 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors | English | Great Britain | 0.3277027027027027 |
| RT_ICON | 0xd4858 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | English | Great Britain | 0.3885135135135135 |
| RT_ICON | 0xd4980 | 0xea26 | PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced | English | Great Britain | 0.9957959360715358 |
| RT_ICON | 0xe33a8 | 0x70f5 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | Great Britain | 0.9989625479821558 |
| RT_ICON | 0xea4a0 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | Great Britain | 0.1836034543948894 |
| RT_ICON | 0xfacc8 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 38016 | English | Great Britain | 0.2455854530166071 |
| RT_ICON | 0x104170 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 21600 | English | Great Britain | 0.29061922365988907 |
| RT_ICON | 0x1095f8 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | Great Britain | 0.2848960793575815 |
| RT_ICON | 0x10d820 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | Great Britain | 0.3548755186721992 |
| RT_ICON | 0x10fdc8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | Great Britain | 0.41369606003752346 |
| RT_ICON | 0x110e70 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | Great Britain | 0.509016393442623 |
| RT_ICON | 0x1117f8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | Great Britain | 0.6365248226950354 |
| RT_MENU | 0x111c60 | 0x50 | data | English | Great Britain | 0.9 |
| RT_STRING | 0x111cb0 | 0x594 | data | English | Great Britain | 0.3333333333333333 |
| RT_STRING | 0x112244 | 0x68a | data | English | Great Britain | 0.2735961768219833 |
| RT_STRING | 0x1128d0 | 0x490 | data | English | Great Britain | 0.3715753424657534 |
| RT_STRING | 0x112d60 | 0x5fc | data | English | Great Britain | 0.3087467362924282 |
| RT_STRING | 0x11335c | 0x65c | data | English | Great Britain | 0.34336609336609336 |
| RT_STRING | 0x1139b8 | 0x466 | data | English | Great Britain | 0.3605683836589698 |
| RT_STRING | 0x113e20 | 0x158 | Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0 | English | Great Britain | 0.502906976744186 |
| RT_RCDATA | 0x113f78 | 0x5d3de | data | 1.0003299137511195 | ||
| RT_GROUP_ICON | 0x171358 | 0x92 | data | English | Great Britain | 0.7054794520547946 |
| RT_GROUP_ICON | 0x1713ec | 0x14 | data | English | Great Britain | 1.25 |
| RT_GROUP_ICON | 0x171400 | 0x14 | data | English | Great Britain | 1.15 |
| RT_GROUP_ICON | 0x171414 | 0x14 | data | English | Great Britain | 1.25 |
| RT_VERSION | 0x171428 | 0x10c | data | English | Great Britain | 0.5932835820895522 |
| RT_MANIFEST | 0x171534 | 0x3ef | ASCII text, with CRLF line terminators | English | Great Britain | 0.5074478649453823 |
| DLL | Import |
|---|---|
| KERNEL32.DLL | DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW |
| ADVAPI32.dll | GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW |
| COMCTL32.dll | ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create |
| COMDLG32.dll | GetSaveFileNameW, GetOpenFileNameW |
| GDI32.dll | EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath |
| IPHLPAPI.DLL | IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile |
| MPR.dll | WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W |
| ole32.dll | CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket |
| OLEAUT32.dll | CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture |
| PSAPI.DLL | GetProcessMemoryInfo |
| SHELL32.dll | DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW |
| USER32.dll | GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient |
| USERENV.dll | DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile |
| UxTheme.dll | IsThemeActive |
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| WININET.dll | HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable |
| WINMM.dll | timeGetTime, waveOutSetVolume, mciSendStringW |
| WSOCK32.dll | gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Great Britain |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
| Target ID: | 0 |
| Start time: | 06:11:35 |
| Start date: | 29/08/2024 |
| Path: | C:\Users\user\Desktop\Image Quote 011698.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xfc0000 |
| File size: | 1'524'736 bytes |
| MD5 hash: | 94C86F3CCE220982807B72D29661C971 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
Function 00FDB731 Relevance: 16.6, Strings: 9, Instructions: 5385COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01028298 Relevance: 4.3, Strings: 3, Instructions: 568COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01054873 Relevance: 3.6, APIs: 2, Instructions: 566COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFE4FF Relevance: 2.9, APIs: 1, Instructions: 1381COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCBF40 Relevance: 2.4, Strings: 1, Instructions: 1168COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FCCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01032046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FDAFAC Relevance: .9, Instructions: 881COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF6DD9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC7920 Relevance: .6, Instructions: 563COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FC91C0 Relevance: .5, Instructions: 475COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104BE44 Relevance: .5, Instructions: 456COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD997D Relevance: .4, Instructions: 375COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF9EEE Relevance: .3, Instructions: 294COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF676B Relevance: .3, Instructions: 269COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE1C77 Relevance: .3, Instructions: 254COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE1F32 Relevance: .2, Instructions: 244COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE19B0 Relevance: .2, Instructions: 240COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE7A4A Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE7CA7 Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE1706 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FD9339 Relevance: .1, Instructions: 130COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE4CE8 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFCE90 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01025622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0102ED19 Relevance: 10.6, APIs: 7, Instructions: 137COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0104AFF9 Relevance: 7.9, APIs: 5, Instructions: 418COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 01025711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFB952 Relevance: 6.4, APIs: 4, Instructions: 370COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FF8D45 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0105833C Relevance: 6.2, APIs: 4, Instructions: 196COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE00C6 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE3382 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00FE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|